A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at Wireshark while no deep protocol knowledge.
Ok, “challenge excepted” ;) here I have some more protocol related challenges for you: With this post I am publishing a pcap which has four site-to-site IPsec VPN connections inside. On the first half of the pcap all four of them are wrongly configured, hence, not working. –> What are the reasons for that? <–
Consider the following scenario: You are the network administrator of four new remote offices and should configure VPN connections from each site to the headquarter. You agreed with the firewall admin from the headquarter about all VPN settings. However, none of your four VPN connections is working while you have configured everything correctly. Since the firewall admin of the headquarter is not willing to give you access to his firewall, your only chance in proving the errors on his side is to analyze a packet capture taken on the WAN interfaces of your routers.
At first download the following pcap and open it with Wireshark for the analysis:
The file shows only ISAKMP, ESP and ICMP packets. For the first half of the capture (packets no. 63-250) I (the headquarter firewall admin) misconfigured each VPN with a wrong value in order to have no single VPN working! These are:
- wrong phase 1 proposals
- wrong peer ID
- wrong proxy-ID
- wrong pre-shared key
Your job: Which of the following four peers had which error configured?!?
In the second half of the capture (packets no. 475-570, followed by many ESP packets) everything is working fine since I corrected the misconfigured settings. Hence you can try to compare the working and not-working sessions.
Please use the comment section below to paste your answers as well as a description how you solved it. The names and IPs are as follows. You can use it as a template for your answers:
main firewall: 126.96.36.199
router 1 "darm": 188.8.131.52: wrong <fill-in-the-error-here>
router 2 "fdorf": 184.108.40.206: wrong <fill-in-the-error-here>
router 3 "fdorf-k": 220.127.116.11: wrong <fill-in-the-error-here>
router 4 "fdorf-w": 18.104.22.168: wrong <fill-in-the-error-here>
I’ll publish the solutions in a couple of weeks here on my blog. Have fun. ;)
My setup consisted of four AVM FRITZ!Box home routers that established a VPN connection via IPsec over legacy IP (IPv4) to a Palo Alto Networks firewall. While the firewall had a static IPv4 address the four routers had dynamic ones. Therefore all VPNs were in the aggressive mode and the firewall was only responder (passive) since all home routers initiated the VPN connections. Note that all four errors were configured on the firewall while the routers had the correct settings all over the trace.
(More Info: Test Procedure)
This was my test sequence, just in case you’re interested:
- I deactivated all VPNs on the four home routers
- committed the falsified config on the Palo Alto firewall
- started the capture on a mirror port on the wan/untrust interface with sudo tcpdump -i eth1 -w IKE-Challenges.pcap 'host 22.214.171.124 or host 126.96.36.199 or host 188.8.131.52 or host 184.108.40.206'
- started pinging all remote private IPv4 addresses (through the VPN tunnel) from behind the firewall
- activated all VPNs on the home routers
- waited a few moments
- deactivated all VPNs on the home routers
- committed corrected config on the Palo Alto firewall
- activated all VPNs on the home routers again
- waited a few moments
- stopped the capture
That is: Only in the second half of the capture you can see some ESP packets (from working VPN connections), while the first half shows only ISAKMP packets (trying to establish a VPN).