Luke Sheldrick's Blog

I’ve been testing a new platform at the day job for the last couple of days, as a user. The main part of this, is I do all the tests as if I was the end user (i.e. our Customer). The platform is based on VMware’s Virtual Cloud Director 5.1. I’m working with our product team to get the platform ready to hand over to our customers, and filling in the missing gaps, when it comes to requirements, documentation and any support needs.

One thing I was playing with today, was the inbuilt VPN capabilities. The documentation from VMware here, if I am honest, is quite incomplete. Even as a seasoned VMware user, some elements, are confusing. So the documentation for this element, were, how do I put it… minimal (read: missing all the needed info). I assume it’s because they’re assuming that you’ll be connecting it to another vShield Edge device, so their defaults, would just work.

I was working with my physical test lab to simulate a customer’s existing hosted solution, i.e. a rack of equipment in their data centre. The firewall I was using was an old Fortigate 200A, however this is running the latest v4 FortiOS, so would be the same for any firewall from Fortinet (running V4, V3 would be very very similar, if you still have that out there).

So, let’s assume the following:

 vOrg Network: 192.168.15.0/24
 VShield Edge IP: 90.1.1.1.1
 All devices NATed behind the Edge device.

 Legacy Network: 10.30.3.0/24
 Fortigate IP: 80.1.1.1.1
 All devices NATed behind the Fortigate.

Login to the VCD Portal, and go to your vOrg network preferences, right click on the network you want to configure for VPN access.

Go to the VPN tab, and If not already enabled, enable the VPN service. Then select new.

Change the “Establish VPN to” to External Network.

From the below, we’re going to fill out.

 Name: Your choice
 Description: Your choice
 Local Networks: LS-Network2 (matches the 192.168.15.0/24) Here I chose the network that matched my requirements. (Yours will differ, and you'll need to make the amendments throughout.)
 Peer Networks: 10.30.3.0/24
 VPN Endpoint: The vShield Edge device you're going to terminate the VPN on.
 Local ID: Your choice - just needs to match what you configure the firewall with.
 Peer ID: Your choice - just needs to match what you configure the firewall with.
 Peer IP: This is going to be your other firewall. So for me it was 80.1.1.1
 Encryption Protocol: again, your preference. AES256 is a sane default.
 Shared Key: Your choice - just needs to match what you configure the firewall with.
 The rest: I left as default.

Now this left me asking some questions, i.e. what were the other settings going to be, such as Authentication method, DH Group, PFS, Key lifetime..etc None of this is listed in the documentation/user guide.

Anyway, to continue, you need to add a firewall rule in, to allow communication between the two environments. Something like the below, but again, adapt to your requirements.

Moving on to the Fortigate. This took a while to work out, as basically, I had to configure the VPN, wait for the edge device to try and bring up the VPN to see what it was proposing, in order to then set the Fortigate to match these (read: a complete PITA). However now that’s been done, hopefully this will help someone.

Go to your VPN Settings, add a new Phase I

So the settings here:

 Name: Your choice.
 Remote Gateway: Static IP.
 IP Address: Edge device IP. Mine 90.1.1.1
 Local Interface: Your internet facing interface.
 Mode: I chose Main, but this can be your preference.
 Pre-shared Key: What you made up in the earlier steps.
 Enable interface mode (makes life a lot easier for firewall rules.)
 IKE Version: 1
 Local IP: I chose main - your config may differ.
 Encryption: Whatever you chose earlier. AES256 for me.
 Authentication: SHA1 (This is one of the settings not documented anywhere)
 DH Group: 2 (This is one of the settings not documented anywhere)
 Keylife: 28800 (This is one of the settings not documented anywhere)
 DPD: Disabled - The edge device didn't seem to respond to these, so the Fortigate tore the tunnel down. (This is one of the settings not documented anywhere)

Phase II:

 Name: Your choice.
 Phase I: Select the one you configured above.
 Encryption: AES256 (unless chosen different above)
 Authentication: SHA1 (This is one of the settings not documented anywhere)
 DH Group: 2 (This is one of the settings not documented anywhere)
 Keylife: 1800 (This is one of the settings not documented anywhere)
 Source Address: 10.30.3.0/24 (yours will need to changed to match your network)
 Destination Address: 192.168.15.0/24 (match your vOrg Network)
 The Rest: Default.

Next: create the firewall rules. Incoming and outgoing for the VPN interface. I wont go into details here, as if you’re reading this I expect you’ll know how to add a policy in.

Static Route. You’ll need to create a static route for the VPN, in order to route traffic down the interface. Interestingly, you didn’t need to do this on the Edge config.

Go to the Router > Static > Create new. Something like the below, amended to your network.

Once this is done, the VPN should come up.

You’re in a datacenter, all you have with you is a bag of cables, a crash cart, and your mobile. A core switch has fallen over, and you need to quickly see what the console it outputting.

I was tinkering at home, where I was building a lab of some cisco and fortigate kit, and needed to quickly set a management IP. I had a rollover cable, and a usb to serial converter, and wondered if my Samsung Galaxy Note, and the ‘USB-to-go’ cable would allow me to connect to the serial port on the switches and firewalls. Using the inbuilt terminal didn’t work, and I couldn’t get minicom to play. However I did find an app in the Play Store, that had support for most of the usb converters.

A bit of fiddling, and bingo, it all worked.

I got this to work on my Galaxy Note, however this should work with anything that has USB Host Mode support. This would be really useful on a tablet.

The best bit here, is to do this, it’s really rather cheap. What I used:

USB-to-go connector – for converting the micro usb (Micro-B) to standard Female USB(Type A).
USB-to-Serial – cheap PL2303 based converter
Cisco Rollover cable – Every DC will have hundreds of these.

Slick USB 2 Serial Terminal – Android app that talks directly to the USB-to-Serial converter. (Ad supported or pay for version).

Just a quick one. Have been using Mountain Lion for just over a day, but noticed there wasn’t a quick way to see the notification center

Seems there is a shortcut available in the keyboard preferences, it’s just not set. So just assign your preferred shortcut, as below.

 

 

So, Mountain Lion came out yesterday. I bought Apple’s new Macbook Pro with Retina, so am entitled to a free upgrade.

Applied for the redemption code, had to give a load of info, like purchase date, serial number..etc (not quite sure why, surely Apple can check this against my AppleID). Anyhow, they send you out a password and a password protected PDF in separate mails. Received mine within the hour, go to use it, and it informs me the code has already been used. Took a look on twitter, and seems everyone was in the same boat. According to numerous reports, Apple Support are saying to wait 72 hours, when a new code will automatically be issued.

I’m sorry, but that just sucks. I buy their top of the range laptop (well as well as most other things), and now I have to wait for the new shiny! Boo. I have a MacMini I use in my home office, which I’ve read mixed reports if the upgrade code would work for, so decided to just pay for the upgrade, as I’ll probably have to anyway for the MacMini, and I can use that on multiple machines.

Upgrade was pretty painless, a few things are broken, whilst developers update their code (and more importantly, make it work within the App Sandbox). I was reading up on PowerNap, as this is one feature that I think is really cool. My MBP will update, backup..etc when in standby. The default is to have this disabled when on battery power – however I wanted to ensure that was the case. According to the Apple KB, it’s in Power settings, and then in the Battery tab. I don’t have that. OK, so I need a SMC update before I can enable PowerNap. Great – for their latest, flagship MacBook, it’s ‘coming soon’.

WHAT?

Noticed a few things are broken so far:
TruePreview – Stops mails being marked as read in Mail. Manual Fix Here.
GPGMail – PGP/GPG for Mail. Broken at current – devs say to follow their twitter.
Hal9000 Screensaver – As it says on the tin.

I’d consider myself a pretty security conscious person, so most of my stuff is either firewalled off, can only be access via a VPN, or requires a key of some sort (ssh keys), except for one box. That one box, is the weak kink in the chain, but is there out of convenience. I have a box out there I can jump to, connect in with a password, and then get to everything else. However I hate having the weak kink. The only reason I have it, is if I am not somewhere where I have access to say my laptop, I can still jump on a shared machine say, and connect back to my kit.

Last week I was on a course, and couldn’t use my laptop, so was using one of the training centre’s computers. Throughout the course, I’d check my emails, irc, etc etc. Just using their standard installed putty, connecting back to my server via ssh. However how do I know what they have installed on their hotdesk computer? for all I know, they could have a keylogger sitting there happily recording my password. (Noted: a bit paranoid). On the way home from the course, I really wasn’t happy with that risk, so when I got home, I naturally changed the password, checked logs, no access seen, so happy for now. However needed to find a way to fix this.

Googled about for a bit, then stumbled on Google-Authenticator, now I had read about this being released for google accounts, so two-factor auth to check your GMail..etc however what I hadn’t realised is they had released a PAM (Pluggable Authentication Module) to work with their authenticator. Neat! I span up a VM in my lab, and had a play, and was very very easy to get the module installed, and working with SSH.

After compiling the PAM module, installing, updating the PAM config, and SSHd’s, you’re pretty much ready to go. Users on the server have to enroll using the google-authenticator binary, which asks them a series of question, then presents URL,which displays a QR code. Crank up the authenticator app on your favourite smart phone, and it should add the OTP config, and start generating OTPs. Depending on if you chose time based or generated OTPs, you’ll see a countdown clock (until the next code) or a button to request a new code.

There are some really good guides on setting this up so I won’t duplicate. I’ve got it running on my Ubuntu jump box, and a few CentOS servers in my lab. Seems perfectly stable so far. What I do like about this OTP solution vs some others such as RSA, is it doesn’t need to ‘call home’, so if for some reason the server is isolated from the internet, I can still authenticate using the OTP, as it’s based on RFC 4226 so is time based.

I have read a few places that GA and SSH keys cannot be used together, and you should disable KeyAuthentication. Both can work alongside each other, however OpenSSH sees them as separate things. So if I try to authenticate using my private key, it will accept that, and ask for no further authentication. However what I think what people are saying here, is that if you want to still be challenged for your OTP when using your key, this wont fit your requirements. For me, if I have my key, that is enough for me.

One thing I did put in place, which stops a bit of a chicken and egg situation, is that if you have’t enrolled with google-authenticator on the jump box yet, you can still authenticate just using your password. I’ve given some people access to the jump box for various reasons, and not all use keys, so once I had implemented the dual-auth, some of them couldn’t connect, to be able to setup google-auth, ops. To get this to work you need to add nullok to your PAM config line. I also added a string to print the code as you’re typing.

Your PAM config (eg /etc/pam.d/common-auth) should have a line like for this to work.
auth    required                        pam_google_authenticator.so nullok echo_verification_code

You can get the modules over at google code. All in all, a pretty neat solution to my issue, whatever machine I log in now, sure you can steal my password, but unless you also have my unlocked phone, to generate you a new OTP, you won’t be able to get in. The weak link is now a bit stronger