Tuesday, January 19, 2016

Jon's Recipe for Encrypted Internet w/ ASA


Have you ever wanted to encrypt your entire home's internet connection? Of course you have, don't lie to yourself... you've at least thought about it. Now if you're a PFSense user, you might go with purchasing service through Private Internet Access, and configuring your pfsense firewall to be an openvpn client. Yeah, you could do that. What if you were a Cisco geek who wanted to do something similar with their ASA?? What if you also wanted to tunnel all your traffic to Canada so you had better streaming options from Netflix (Canadian Netflix is insane). Well, you've come to the right place.


What you'll need:

- Cisco ASA (I'll be using a 5505)
- Some basic familiarity with Ubuntu
- ~$10 a month
- A can do attitude that will annoy most normal people. (optional)

Prep Time:     10 Min
Config Time:  30 Min
Ready In:        It'll be done when it's done. Stop complaining.


Network Diagram:






Ubuntu Server Configuration:
Summary of steps

1. Install Openswan
2. Enable Kernel packet forwarding and disable icmp redirects
3. Configure Openswan IPsec tunnel
4. Enable NAT/masquerading

Alright! Let's go! I decided to use DigitOcean as my compute provider for this project.  I used their $10/mo droplet, but you could probably get away with the $5/mo option just as easily. So I deployed an Ubuntu 14.04 server and selected Toronto as my regional datacenter. After it was deployed, I ssh'd into my brand new Ubuntu server. First thing you'll need to do is install Openswan (L2L IPsec).

sudo apt-get install openswan

You'll see some prompts about x.509 certificates. Just follow the prompts for creating a self-signed certificate.


Now onto the Openswan configuration. Don't stress too much if your Linux-jitsu isn't very strong, this configuration is relatively easy. For both phase1 and phase2 I'll be using aes-128 with sha1 for hash. I created a backup of /etc/ipsec.conf then deleted it so I could have a clean ipsec configuration file. Here's what it looks like:

root@ubuntu-torvpn:~# cat /etc/ipsec.conf
!
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
conn asa-demo
authby=secret
auto=start
keyexchange=ike
ike=aes-sha1
phase2alg=aes128-sha1
pfs=no
type=tunnel
left=200.1.1.254
leftsourceip=200.1.1.254
leftsubnet=0.0.0.0/0
leftnexthop=%defaultroute
right=200.2.2.254
rightsubnets={192.168.1.0/24,192.168.2.0/24}

Note: Don't get too hung up on the 'left' 'right' verbiage. I just think 'left=local' and 'right=remote'. 

The other component you'll need to define is your shared secret, this is stored in /etc/ipsec.secrets . Here's what mine looks like.

root@ubuntu-torvpn:~# cat /etc/ipsec.secrets 

200.1.1.254 200.2.2.254: PSK "thisISaSecurePSK"
include /var/lib/openswan/ipsec.secrets.inc 


That's it for the IPsec config on your Ubuntu server. Seriously, that's it lol. Last thing you'll want to do on here is enable masquerading. I'm going to use ufw to configure NAT, then immediate disable ufw. This will work just fine since it will still commit out masquerading rules. Reference materail here.

Change default forwarding policy to accept in /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"


Uncomment this line from /etc/ufw/sysctl.conf
net.ipv4.ip_forward=1 
#net/ipv6/conf/default/forwarding=1 
#net/ipv6/conf/all/forwarding=1

Add the following lines to /etc/ufw/before.rules before "*filter"

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT


Finally, I disable/enable/disable UFW so that my rules are loaded, but UFW is left off.

sudo ufw disable && sudo ufw enable && sudo ufw disable


Cisco ASA Config

Back to familiar territory! Configuring a Lan-2-Lan VPN on an ASA, and the only "weird" part you'll see is the access list for defining interesting traffic.


access-list TUNALL-INET-CA extended permit ip 192.168.1.0 255.255.255.0 any4 

access-list TUNALL-INET-CA extended permit ip 192.168.2.0 255.255.255.0 any4 
!
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set STRONGISH esp-aes esp-sha-hmac 
!
crypto map DIGIOCEAN-CA 10 match address TUNALL-INTET-CA
crypto map DIGIOCEAN-CA 10 set peer 200.1.1.254
crypto map DIGIOCEAN-CA 10 set ikev1 transform-set STRONGISH
crypto map DIGIOCEAN-CA interface OUTSIDE
!
tunnel-group 200.1.1.254 type ipsec-l2l
tunnel-group 200.1.1.254 ipsec-attributes
 ikev1 pre-shared-key thisISaSecurePSK
!
!


no sysopt connection permit-vpn


Alright, so what's happening here? We're defining interesting traffic as "192.168.1.x and 192.168.2.x going anywhere". Then we define our phase1 policy (policy id 10 on our ASA) to match that of the openswan config. Likewise we have our phase2 policy set to use SHA and AES, matching the openswan configuration. The absolute last thing you'll need to do is disable NAT. You heard me, since we're tunneling all our traffic to our Ubuntu server... we don't need it. Which brings me to my final point.

Also, that last line "no sysopt connection permit-vpn". You're really going to want that lol. Otherwise all internet traffic coming over your tunnel will be treated as trusted. No bueno. In other posts I've talked about using vpn-filters for L2L tunnels, but that would be a nightmare with this configuration. Just disable sysopt connection permit-vpn, and now all traffic coming in from the tunnel will follow your traditional ASA rules.

Enabling / Disabling tunneling with ease.

Use NAT. That's actually how I control it, when I want to tunnel all my internet traffic, I log into my ASA and mark my dynamic NAT rules as 'inactive'. If I want to forward all traffic out locally, I re-enable those rules.

On VPN NAT Configuration:

nat (INSIDE,OUTSIDE) after-auto source dynamic NETKNERD-LAN interface inactive
nat (DMZ,OUTSIDE) after-auto source dynamic DMZ interface inactive

Off VPN NAT Configuration:

nat (INSIDE,OUTSIDE) after-auto source dynamic NETKNERD-LAN interface

nat (DMZ,OUTSIDE) after-auto source dynamic DMZ interface







1 comment: