Sunday, May 31, 2020

Understanding fortios phase1 diag outputs

Here's a diag vpn ike gateway for a tunnel that is being worked on. I'm going to go over some details of this output


Version == Indicate the IKE version ( 1 or  2)

addr == the ike-gateway address for the vpn-tunnel peers (yours and his )

created == the total time of the phase1 being established, here it's 508k seconds and 18 re-keys ( if you do simple math  of 18 x 28800 ) you will get a number close to the 508k seconds

The IKE and IPSEC SA is crucial for telling you if and how many are created. Here no IPSEC SA  have ever been created.

Direction == is afield that provide details if you imitated or respond for the connection

status == the ike-lifetime counter and count down for the next rekey ( 28800-24466 )

proposal == the active proposal set,

lifetime/rekey == shows 28800/4033

DPD  == counter for send and receive, if you repeat the command you can easily ascertain DPD-interval which in this case is 5secs.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Thursday, May 28, 2020

junos automation via netconf

I was working on some automation ideal and trying to come up with a script and found one that works


https://blog.karotte.org/2017/05/12/juniper-netconf-ssh/


#! /bin/bash
# Use like: bgpq3 ... stuff | netconf-merge-wrapper | ssh admin@router netconf
cat <<_END
<rpc>
    <load-configuration action="merge" format="text">
        <configuration-text>
_END
cat -
cat <<_END
        </configuration-text>
    </load-configuration>
</rpc>
_END
if [ "$1" == "commit" ]; then
        cat <<_END
<rpc>
    <commit/>
</rpc>
_END
fi


So what we are doing is running irrpt prefix generate and piping the output into the the wrapper and the into the junos device.

If you set the commit the rpc call with load the configuration. It's a very simplified means to update bgp prefixes for filter lists


irrpt_pfxgen <AS_NUMBER>  | ./wrappper.sh commit | ssh  kenfelix@<router ipv4 address>








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Friday, May 22, 2020

Multiple Phase2 in Srongswan configuations

When you have more than 1 local-remote subnets pair, you  have a few ways to add multiples phase2  in the config,

In fortiOS we build multiple phase2 and reference the phase1 interface and in strongswan it's very similar approach


1
2
3
4
5
6
/* sample 2x phase2 connection srx1 */
conn srx1
leftsubnet=10.198.198.0/24
rightsubnet=192.168.1.0/24
also=srx
auto=route


1
2
3
4
5
6
/* sample 2x phase2 connection srx2*/
conn srx2
leftsubnet=10.197.197.0/24
rightsubnet=192.168.1.0/24
also=srx
auto=route


The connection "srx" is the parent for the 2x srx1 and srx2

Here's a full config take heed of the parent conn srx and the two associated child srx1 srx2





Also now the ipsec status will show the 2 child connections srx1 and srx2 when executed.



That's how easy it is to associate multiple local/remote-subnets in strongswan.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Demo'ing netconf on junos SRX

If you recall my previous API post a few years back for junos and the SRX.

http://socpuppet.blogspot.com/2018/11/junos-srx-api-interface-is-so-easy.html

I'm going to demo netconf over ssh. It requires you to enable the netconf services on the SRX.


config 

                  set system services netconf ssh port 2023

commit 


So in the above I enable netconf on  tcp-port 2023 and it's ready for connections;

kfelix@HOME_SRX_SOCPUPPETS> show system connections | grep 2023    
tcp4       0      0  *.2023                                        *.*                                           LISTEN



Now we will test netconf and look for a netconf hello;



If you do not get a netconf hello this means your have some connection or filter issue, or the system services is not set for the interface-zone and netconf or the port# is incorrect.


Now, I  will make a simple get-software-information aka ( show version )



the rpc call is structure like the below '

<rpc> 
     <get-software-information>
     </get-software-information>
</rpc>


You can also string multiple  rpc-calls against a single netconf session, in this below example we get the show version and arp-table.




Netconf is a powerful and super user friendly in Junos for remote management. Any command that displays in the xml rpc output can be called via netconf over ssh.

Junos has made it so simple that if you send a request that can't be understood, it will error out and tell you.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \




Thursday, May 14, 2020

HOWTO close ports 2000 and 5060 on Fortigates

When doing port or  vulnerability scan you will find tcp port 2000 & 5060 open. These are for the VoIP-ALG

To close these ports you can use a local-in policy but a quicker means is to set the config

"set default-voip-alg-mode kernel-helper-based" in  system settings;

e.g

 config system settings

   SOCPUP (settings) # set default-voip-alg-mode kernel-helper-based 

end




Use a online scanner to validate https://www.whatismyip.com/port-scanner/








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Wednesday, May 13, 2020

Cert_request for WEBPORTAl SSLVPN fortios

In this post I will show you  how Microsoft Edge will present your local cert store for login. In this case we are using the web-mode and the vpn portal.


Our web-vpn config

config vpn ssl web portal
    edit "webaccess"
        set web-mode enable   
    next
end

and our sslvpn auth-rule

config authentication-rule
    edit 2
        set groups "web-usuarios-groupo1"
        set portal "web-access"
        set client-cert enable
        set user-peer "web-socpuppets"
    next
end

User peer is a basic peer grup that defines the expected CA

config user peer
 edit "web-socpuppets"
        set ca "CA_Cert_9"
    next
end

So any certificated sign by the named CA will be honored.

you can define various peer-group for each portal and portal type and use realm to control access


So when a user hits the portal he will have to correct the certificate for mutual TLS authentication.


This is just one of many ways to control web portal and sslvpn access by RSA certificates.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \