OpenVPN 2.2.x and iOS 9.3.x No Routing over VPN

Whilst going through the process of renewing certificates, and the recent updates for OpenVPN and iOS, I discovered that traffic was no longer being routed over the tunnel. There are a number of postings blaming changes that Apple have made in relation to IPv6. I’m unsure, but the fix was to alter the client.ovpn file to use an IP address in the remote directive instead of a DNS name.

e.g.

client
dev tun
proto udp
remote 1.2.3.4 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
cipher AES-256-CBC # AES
comp-lzo
verb 3
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
</dh>

I hope this helps someone.

LegoLovelace – Got 10k votes

Just had to post to say that “LEGO Ideas – Lovelace & Babbage” received the required 10,000 votes, so that it will be considered by Lego for manufacture.

This is awesome news …

 

The link to the Lego IDEAS page is:  https://ideas.lego.com/projects/102740

What is really cool about this kit is that there is space inside the Analytical Engine to house a micro board like the RaspberryPi. Fingers crossed it gets the go ahead for manufacture.

Studies back on OU M140 & M208

Having taken a break from studies, it is necessary to pick up where I left off with my Open University Maths degree, so the modules for this year being :

M140 – Introducing Statistics

M208 – Pure Maths

The course, M140 is a band new and I’ve heard mixed reviews about the content. The website and materials appear to have been uprated from what I’ve seen before so I shall see. M208 has been around for quite some time and, but errata is still being published.

Multiple VPN’s on SRX using Loopbacks

For anyone who has tried to configure a Juniper SRX and source VPN’s using a loopback (as you do with Cisco) will have run into a problem. Only one loopback is permitted per VRF (or Routing-Instance). You can assign multiple IP addresses to the lo0.nnn interface but can only source a VPN from an interface.

The following example shows a snipped from the security section of the configuration and the undocumented command ‘local-address’ is presented in RED.

** Updated 05/02/15 **
Note that using more recent versions of JunOS (12.xx.x) it transpires that RSA certificate authentication only works using the primary IP address on an interface! When Pre-Shared keys are used it multiple IP addresses still work.

security {
    pki {
        ca-profile MY-ROOTCA {
            ca-identity ca-root;
            revocation-check {
                crl {
                    url http://x.x.x.x/myroot.crl;
                    refresh-interval 1;
                }
            }
        }
        ca-profile MY-SUBCA {
            ca-identity ca-sub;
            enrollment {
                url http://x.x.x.x:80/certsrv/mscep/mscep.dll;
                retry 40;
                retry-interval 2;
            }
            revocation-check {
                crl {
                    url http://x.x.x.x/mysubca1.crl;
                    refresh-interval 1;
                }
            }
        }
        auto-re-enrollment {
            certificate-id MY-CERT
                ca-profile-name MY-SUBCA;
                challenge-password "MYPASSWORD"
                re-enroll-trigger-time-percentage 15;
                re-generate-keypair;
            }
        }
    }
    ike {
        proposal MY-IKE-PROPOSAL {
            authentication-method rsa-signatures;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 420;
        }
        policy MY-IKE-POLICY {
            mode main;
            description "CESG Interim PRIME-Compliant IKE Policy";
            proposals MY-IKE-PROPOSAL;
            certificate {
                local-certificate MYCERT;
                peer-certificate-type x509-signature;
            }
        }
        gateway REMOTE-GW1 {
            ike-policy MY-IKE-POLICY;
            address x.x.x.1;
            local-address x.x.x.100;
            external-interface lo0.1;
        }
        gateway REMOTE-GW2 {
            ike-policy MY-IKE-POLICY;
            address x.x.x.2;
            local-address x.x.x.101;
            external-interface lo0.1;
        }
    }
    ipsec {
        proposal MY-IPSEC-PROPOSAL {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 420;
        }
        policy MY-IPSEC-POLICY {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals MY-IPSEC-PROPOSAL;
        }
        vpn REMOTE-VPN1 {
            bind-interface st0.1;
            ike {
                gateway REMOTE-GW1;
                ipsec-policy MY-IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
        vpn REMOTE-VPN2 {
            bind-interface st0.2;
            ike {
                gateway REMOTE-GW2;
                ipsec-policy MY-IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
    }

 

Lego is cool …

Breaking myself in gently and helping my 9 year old son to complete his Lego Star Wars models.

IMG_0335

 

Anakins’s Y-wing Star Fighter

IMG_0337

 Clone Turbo Tank (with bits missing)

 Fun was had by all, now I heard something about a death star.

 

Studies Over – for now

It’s been over four years since I last posted and :

  • Gus is coming up to the age of four
  • I have renewed my CCIE R&S twice
  • I have (hopefully) completed an MSc in Advanced Networks
  • I have moved house
    and
  • I have changed jobs

(Sounds like a lot but it has been four years)

So with my New Scientist subscription in place, a RasberryPI on order and the usual unhealthy interest in science and technology, I’m back posting.

Mick

IMG_0333

Cisco Multiple SSID assigned to VLAN

Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.

The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.

Define your SSID’s along with their vlans etc.

dot11 ssid PUBLIC
  vlan 1
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii PUBLICPASSWORD

dot11 ssid PRIVATE1
  vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD1

dot11 ssid PRIVATE2
  vlan 3
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD2

Next setup your radio interface

interface Dot11Radio0
  no ip address
  no ip route-cache

  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  encryption vlan 3 mode cipthers tkip

  ssid PUBLIC
  ssid PRIVATE1
  ssid PRIVATE2

  speed default (you may wish to leave this at defaults)
  channel least-congested (you may wish to hard code this)
  station-role root
  rts threshold 2312

Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.

bridge irb

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip

Now join the create layer 2 radio interfaces in each bridge group.

interface Dot11Radio0.1
  no ip address
  encapsulation dot1q 1 native
  bridge-group 1
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled

interface Dot11Radio0.2
  no ip address
  encapsulation dot1q 2 native
  bridge-group 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled

interface Dot11Radio0.3
  no ip address
  encapsulation dot1q 3 native
  bridge-group 3
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  bridge-group 3 spanning-disabled

Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.

interface Vlan1
  no ip address
  bridge-group 1

interface Vlan2
  no ip address
  bridge-group 2

interface Vlan3
  no ip address
  bridge-group 3

(or if you have you have physical interfaces)

interface FastEthernet0/0.1
  encapsulation dot1q 1 native
  no ip address
  bridge-group 1

interface FastEthernet0/0.2
  encapsulation dot1q 2
  no ip address
  bridge-group 2

interface FastEthernet0/0.3
  encapsulation dot1q 3
  no ip address
  bridge-group 1

Now create the Layer3 interface associated with the bridge groups.

interface BVI1
  ip address 10.10.1.1 255.255.255.0

interface BVI2
  ip address 10.10.2.1 255.255.255.0

interface BVI3
  ip address 10.10.3.1 255.255.255.0

The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.

Good luck

Mick