FRR opensource routing to CME MDP

 In this blog we will look at a simple  but effective means for deploying multicast router over frr to the CME multicast data platform

https://www.cmegroup.com/confluence/display/EPICSANDBOX/CME+Market+Data+Platform+Connectivity#CMEMarketDataPlatformConnectivity-Figure:GRETunnelwithinIPSecTunnel

note: You typically will get a ipv4 address that will be used for the pim-RP

Traffic for pim-joins and multicast will be delivered via the gre interface ( gre1 in my example )

You will need to install snapd & frr and have your gre1 interface defined b4 starting .

  sudo yum install snapd

  yum install -y https://github.com/FRRouting/frr/releases/download/frr-5.0.1/frr-5.0.1-2018070501.el7.centos.x86_64.rpm

   

  sudo snap install frr

   

 sudo systemctl enable --now snapd.socket

sample frr.conf

[kfelix@mcastrt1 ~]#  /var/lib/snapd/snap/bin/frr.vtysh -c "show running"

Building configuration...

Current configuration:

!

frr version 7.5.1

frr defaults traditional

hostname mcastrt1.yourdomain.com

log file /var/log/pimd

log stdout

no ipv6 forwarding

ip multicast rpf-lookup-mode longer-prefix

ip pim rp 69.50.112.254 224.0.0.0/4

ip mroute 69.50.112.0/25 10.247.x.xx

no service integrated-vtysh-config

!

ip route 69.50.112.0/25 10.247.4.145

ip route 69.50.112.254/32 10.247.x.xx

!

interface dummy255

 description test-dummy-interface-for-joins

 ip igmp

 ip igmp join 224.0.28.85

 ip igmp version 2

 ip pim

 multicast

!

interface gre1

 description CME MDP GRE-tunnel

 ip pim

 multicast

!

interface pimreg

 ip pim

 multicast

!

line vty

!

end

The dummy255 interface was crafted for testing and before enable igmp for the LAN interface.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

fortios how to recover ipsec-vpn PSK string in text format

 One of the colleague was working on fortios conversion and needed a means to gather the existing PSK from the vpn ipsec in text format. 

Here's a simple method for extracting this details by using a API call

The API entry point is ;

"https://x.x.x.x/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1?

The full http get would look like the following ;

curl -k -H "Authorization: Bearer zw7q8QyGrHwtfrn8tkGyfNbnGGN7js" "https://192.168.1.99/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1?access_token=zw7q8QyGrHwtfrn8tkGyfNbnGGN7js"

The output and field for "psksecret": will show the text value.

That's a simple method to reverse the encrypted field to cleartext for VPN PSK.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

SDWAN fortios ipv6

 Okay here's a new twist . Can you do SDWAN with ipv6 ? Will yes.

Okay so a friend of mine is looking at SDWAN and they are in a all ipv6 environment. I'm going to demo ho w you do SDWAN on fortigate and with ipv6. Keep in mind SDWAN ipv6 addr-mode and configuration is done from cli-only.

Okat 1st what I did was use my 2 ipv6 SIT-tunnels. These are used for ipv6 connectivity since my local-ISP does not even offer ipv6.

Here's a basic tunnel setup;

config system sit-tunnel

    edit "HE"

        set source 199.188.xxx.xxx

        set destination 216.66.80.26

        set ip6 2001:470:1f07:427::2/64

    next

    edit "CH"

        set source 199.188.xxx.xxx

        set destination 85.202.203.249

        set ip6 2a09:4c0:fe0:7a::2/64

    next

end

Next we stick these two interfaces in a SDWAN zone. I named mine simply ipv6;

config system sdwan

    set status enable

    config zone

        edit "virtual-wan-link"

        next

        edit "ipv6"

        next

    end

    config members

        edit 1

            set interface "HE"

            set zone "ipv6"

        next

        edit 2

            set interface "CH"

            set zone "ipv6"

        next

    end

You will need a ipv6 policy in order to use the sdwan and traffic exiting to the ipv6 backbone

config firewall policy

    edit 6

        set name "ipv6-sdwan"

        set uuid 9e0adc14-bdb6-51eb-0138-794f8740485f

        set srcintf "internal"

        set dstintf "ipv6"

        set srcaddr6 "all"

        set dstaddr6 "all"

        set action accept

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end

Notice I used "nat" egress since I have 2 different originating networks so we need to SNAT. My inside lan is configured using private address;

config system interface

    edit "internal"

        set vdom "root"

        set ip 192.168.1.99 255.255.255.0

        set allowaccess ping https ssh snmp

        set type hard-switch

        set stp enable

        set role lan

        set snmp-index 6

        config ipv6

            set ip6-address 2001:db8:99::1/64

            set ip6-allowaccess https ssh snmp

            set ip6-send-adv enable

            config ip6-prefix-list

                edit 2001:db8:99::/64

                next

            end

        end

    next

end

Now you can build sdwan rules & health checks and such but you have to use cli and set the addr-mode type

e.g

       edit "quad9"

            set addr-mode ipv6

            set server "2620:fe::9"

            set detect-mode prefer-passive

            set threshold-warning-packetloss 20

            set threshold-alert-packetloss 30

            set members 1 2

        next

    end

    config service

        edit 2

            set name "ipv6-tunnels"

            set addr-mode ipv6

            set input-device "internal"

            set priority-members 2

            set dst6 "sjc"

            set src6 "all"

        next

    end

So treat the sdwan fo ipv6 in the same fashion a ipv4.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

fortios upgrade from usb

 In some rare instance you might have to upgrade a fortigate from usb. This can be due to numerous reasons

proxy

inside firewall access

a closed system from the internet

etc...

So here's the basic steps

A> read the release notes. This will help you to know what changed , fixes, improvements.

B> study any migration path

C> make a backup configuration 

D> clear the debug config error

E> copy the image to a ms-dot formatted usb-stick

F> start the upgrade

G> check status and read any diag debug config errors

And lastly, you have two partitions, you can always revert back to the inactive partition if you want to reboot in previous  installed version

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

ipv6 sit-tunnel using https://www.tunnelbroker.ch/

 So an alternative to hurricane electric is https://www.tunnelbroker.ch/

The advantage here are;

1.    the user interface is much better design
2.    A API is available

disadvantage 

1.    the free account only offers a /64
2.    you can only craft 3  upto 3 tunnels in the free offering 
3.   total number of end-point regions is much less than hurricane electric

Here's a few snapshots of the portal

API

ipv6 tunnel details

Fortios cfg

 Ping check from keycdn tools

And traceroute source from the /64 for testing;

YMMV but this is an exceptional tunnelbroker for ipv6.

note: their auto-cfg generator for fortios is incorrect {config system sbtb-tunnel}

     

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \