Posts published in “VPN”

Symptoms: 
One of my clients reported a Cisco AnyConnect issue. It only happened to his machine and later we found that is because he is using Mac machine. His credential works fine if he uses it at windows machine.

From following screenshot, obviously there is Mac AnyConnect package missing from vpn gateway.

Error Messages:

"VPN
The AnyConnect package on the secure gateway could not be located. You may be experiencing network connectivity issues. Please try connecting again.

For many IT workers remotely involved with networking, it is quite common to need to expose your Intranet application to the outside world in a secured manner. Unfortunately, we work most of the time from private IP networks, be that at the workplace, at home or at the coffee shop. The router(s) or firewall (s) that stands between our workstation and the internet makes it harder to expose a local socket to the outside. Most of the time, this is preferable for security.

A couple of solutions you can choose now:
1. Change your router / firewall configuration to do port forwarding or NAT from public to your application. But in many cases, you wont be able to make that changes or you even do not have that options.
2. Tunneling services : either self hosting or cloud services such as:

• Ngrok
• FRP 
• Localtunnel

This post is going to explore some of tunneling services I am using.

Ngrok

Setup & Installation
1. Download ngrok
ngrok is easy to install. Download a single binary with zero run-time dependencies. There are following versions available to download : Winodws, Mac OS X Linux Mac (32-bit) Windows (32-bit)Linux (ARM) Linux (32-bit) FreeBSD (64-Bit)FreeBSD (32-bit)

1. Clear VPN Configuration： 

clear configure crypto map VPN_AAAA

2. Debug and show commands:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer 10.10.10.10
ciscoasaa(config)#
ciscoasa(config)# debug crypto ipsec 127

What is Differences between IKEv1 and IKE v2?
1. Different negotiation processes
− IKEv1

• IKEv1 SA negotiation consists of two phases.
• IKEv1 phase 1 negotiation aims to establish the IKE SA. This process supports the main mode and aggressive mode. Main mode uses six ISAKMP messages to establish the IKE SA, but aggressive mode uses only three. Therefore, aggressive mode is faster in IKE SA establishment. However, aggressive mode does not provide the Peer Identity Protection.
• IKEv1 phase 2 negotiation aims to set up the IPSec SA for data transmission. This process uses the fast exchange mode (3 ISAKMP messages) to complete the negotiation.

− IKEv2

• Compared with IKEv1, IKEv2 simplifies the SA negotiation process. IKEv2 uses two exchanges (a total of 4 messages) to create an IKE SA and a pair of IPSec SAs. To create multiple pairs of IPSec SAs, only one additional exchange is needed for each additional pair of SAs.

There was a VPN issue to troubleshoot recently. It was between Juniper SRX and Cisco Router. It seems straightforward but it took quite a long time to troubleshoot because of communication. All steps listed here for my future reference.

Some other related posts:

• Troubleshooting Cisco IPSec Site to Site VPN - "reason: Unknown delete reason!" after Phase 1 Completed
• Troubleshooting Cisco IPSec Site to Site VPN - "IPSec policy invalidated proposal with error 32"
• Troubleshooting Cisco IPSec Site to Site VPN - "QM Rejected"

1. Enabled Debugging on Cisco IOS Router

vpn-R1#debug crypto ipsec
Crypto IPSEC debugging is on

vpn-R1#debug crypto isakmp
Crypto ISAKMP debugging is on

vpn-R1#debug crypto engine
Crypto Engine debugging is on

vpn-R1#terminal monitor