Thursday, 29 May 2014

Fiddler SSL interception not working

Fiddler has been my go-to web application debugging tool for as long as I've needed one. Yesterday - it simply decided it didn't want to decrypt any more SSL traffic for me. No settings changed (no, really) or anything and I started seeing this error for every site I tried connecting to:

fiddler.network.https> HTTPS handshake to www.google.com failed. System.Security.Cryptography.CrytpographicException Cannot find the requested object.




Not a particularly helpful error message (at least not to someone who isn't the developer) so off to Google I went. A few hours of searching through various Google Group discussions mentioned some recent changes to the .NET framework which has changed certain cryptographic behaviours and broken things. The solution is to go to C:\Users\[your username]\Documents\fiddler2 and rename the file ClientCertificate.cer to something else. I'm not 100% certain on why this certificate would cause the problem in the first place but it fixed my SSL interception so I'm happy again. Full discussion from here.

Wednesday, 26 February 2014

F5 LTM Virtual Edition in Virtualbox

The F5 LTM Virtual Edition is a great way to get some experience with the product if you can't get your hands on any physical kit. If you're working your way way through the new certification path you'll need all the exposure and experience you can get so a local VM on a desktop hypervisor is ideal for practicing or having a poke around the web interface or CLI when you have some spare time.
I tend to use VirtualBox for my desktop virtualisation needs as it's cross platform and free, but there are no officially supported images provided by F5. After a bit of trial and error,  I've found the following setup to work nicely. Bear in mind though that you will need to acquire a trial license / base registration key. I don't know that F5 will be able to provide you this directly if you are an end user but your reseller or partner should be able to get you a 30 or 45 day evaluation license.

Firstly - download the Hyper-V VHD files for TMOS 11.5.0. (Link - registration required).
Extract the two VHD files into a folder wherever you like to keep your VMs.
Create a new virtual machine with the following properties:
Linux 2.6 / 3.0 Kernel (64-bit)
At least 2048MB of RAM (the more you have, the more modules you can potentially enable).
When prompted to add disks, skip this part and accept the warning.
When complete, edit the virtual machine settings and go to the storage tab.
Under store, find the SATA controller, add the largest of the VHD files first, then the one which has DATASTORE in the name.
Under network, add one interface (we'll add the rest later but this way we can make sure the management interface is eth0). I use host-only for my management network as it doesn't need internet access usually. Feel free to use whatever you need but the interface type should be PCNET PCI-ii. There's some stuff on F5 DevCentral that hints at there being VirtIO support in 11.2 but I've not tested it out yet.
Start the VM up from Virtualbox and check POST for errors / kernel panics but you should be fine. If you get any errors about MCP not running, go make a cup of tea and then try again. It'll load eventually :)

Once you've configured an IP address - check you can access it from a web browser on https://x.x.x.x. If you can, shut down the VM and we're ready to add some more interfaces.
Back in the network settings of your VM, add in as many interfaces as you need but make sure the type is the Intel PRO/1000 MT Server type.
Something to watch is the order of the interfaces; they might not match the order you've specified them in. You can use something like...

watch "ethtool ethX | grep detected"

and then disconnect and reconnect the virtual cable to see which interface maps where. Your finished VM settings should be similar to this...

That should be your lot - just activate your license and then start playing!

Tuesday, 3 September 2013

Check Point - Clear Identity Awareness user to IP mappings

It doesn't appear that there's an easy way on the Check Point CLI to remove all user to IP address mappings. You can revoke a single IP at a time - but for troubleshooting you might want to wipe out the whole lot.

Sounds like a job for a dirty bash one-liner!

(From expert mode of course)

 pep show user all | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '127.0.0.1' | xargs -i -p pdp revoke_ip {}  

Friday, 2 August 2013

Check Point - Linux Remote Access VPN with Shrew VPN client

A few years back I tried to get any sort of VPN client working on Ubuntu that would connect to a Check Point firewall. SSL Network Extender (SNX) works but requires additional configuration on the gateway, so I gave up.

Between then and now, Shrew Soft VPN client has added support for Check Point firewalls and works pretty well. I found the client crashed intermittently when setting up the profiles but after that the tunnel seemed stable. I've tested it on Ubuntu 12 and 13 (on 13 you have to compile from source as it's not in the Apt repositories yet) and both work ok.

The client is pretty straightforward to setup - once you know which options to use of course!

Hostname / IP address - IP or DNS name for your firewall
Auto Configuration - Leave this at 'ike config pull'.
Local Host - If you're using office mode with DHCP addresses, this will take care of picking up the address once the tunnel is up.

Client and name resolution tabs - leave these settings as default.
Authentication - assuming you haven't changed any of your remote access settings, Hybrid RSA + XAuth is what you need.
Authentication method:
Local Identity - User Fully Qualified Domain Name (make sure you leave the value blank however)
Remote Identity - Any
Credentials -> Server Certificate Authority File - This needs to be the Check Point internal CA certificate that issues the VPN certificate for your gateway. Setting it to 'any' doesn't appear to work.

Phase1


Phase 2


Policy - Leave policy generation set to 'auto' and untick the following two boxes.
Then, make sure you add in all of the remote networks you want to access over the tunnel and the software will add in the correct routes for your remote resources. 


Then you're all set to connect!



Friday, 21 June 2013

Fortinet PPTP VPN with LDAP authentication

With a somewhat fundamental documentation failure, it looks like FortiGate PPTP VPN do not support CHAP/MSCHAPv2 when you are authentication your user groups via LDAP. According to Fortinet - this is something they're aware of and works using PAP. When I spoke with them this morning, I advised this is unacceptable as a workaround because it disables encryption! I'll update this when I get a real solution.

Update: Official answer, it's not supported. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10718&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=51071690&stateId=0%200%2051073253 . I guess the solution is to use FortiClient (or Check Point...)