Network troubleshooting commands for Windows / Cisco Links

PROBLEM DESCRIPTION

I need a list of common Windows commands to help me troubleshoot Websense in my network.

RESOLUTION

The Windows troubleshooting commands discussed in this document fall into three categories:

1. Determine which groups a user belongs

2. Helpful commands entered from the Start > Run dialog box

3. Comman-line tools for troubleshooting network connectivity

Determine which groups a user belongs

To generate a list of groups that a user belongs, open a command prompt and enter the following commands:

net user /domain

Replace with an actual user name. For example:

net user jdoe /domain

mstsc Opens the Remote Desktop (RDP) tool

winmsd Opens the System Information dialog box

inetcpl.cpil Opens the Internet Explorer Properties dialog box

odbccp32.cpl Opens the ODBC Data Source Administrator

mmc Opens the Microsoft Management Console (MMC)

services.msc Opens the Windows Services dialog box

eventvwr.msc Opens the Windows Event Viewer

dsa.msc Opens the Active Directory User and Computers management console

dssite.msc Opens the Active Directory Sites and Services management console

adminpak.msi Launches the Administration Tools Pack installer

dxdiag Opens the DirectX Diagnostic Tool

\\< Name or IP>\C$ Opens a UNC to the C: share

cmd Opens the Windows Command Prompt using the 32-bit cmd shell

arp -a Shows gateway MAC address.

gpresult Starts the Operating System Group Policy Result tool

ipconfig /all Displays the full TCP/IP configuration for all adapters

ipconfig /flushdns Flushes the DNS resolver cache. Helpful when troubleshooting DNS name resolution problems

nbtstat -a Obtains info from WINS or LMHOST (discovers who is logged on)

nbtstst -A Gets info from WINS or LMHOST (discovers who is logged on)

nbtstat -R Purges and reloads the remote cache name table

nbtstat -n Lists local NetBIOS names.

nbtstat -r Useful for detecting errors when browsing WINS or NetBIOS

netstat -ab The b switch links each used port with its application

netstat -an Shows open ports

netstat -an 1 | find "15868" Locates only lines with the number 15868 and redisplays every one second

netstat -an | find "LISTENING" Shows open ports with LISTENING status

net use Retrieves a list of network connections

net use file://1.2.3.4/ Sees if the machine can poll IP 1.2.3.4

net user Shows user account for the computer

net user /domain Displays user accounts for the domain

net user /domain Shows account details for specific user

net group /domain Shows group accounts for the domain

net view Displays domains in the network

net view /domain Specifies computers available in a specific domain

net view /domain: | more Shows user accounts from specific domain

net view /cache Shows workstation names

nslookup Looks up IP/hostnames and displays information helpful in diagnosing DNS issues

ping -a Resolves IP to Hostname

ping -t Pings host until stopped

set U Shows which user is logged on

set L Shows the logon server

telnet Confirms whether the port is open

et use %LOGONSERVER%

se this command to hit the Domain Controller resulting in DC Agent picking up the user name you logged onto the server with. An example of the command follows:

net use \\

Get MAC Address (Getmac.exe)Discovers the Media Access Control (MAC) address and lists associated network protocols for all network cards in a computer, either locally or across a network.

Hostname (Hostname.exe) Displays the host name of the current computer.

IP Configuration Utility (Ipconfig.exe) Displays all current Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration values, and refreshes Dynamic Host Configuration Protocol (DHCP) and DNS settings.

Name Server Lookup (Nslookup.exe) Displays information about Domain Name System records for specific IP addresses and/or host names so that you can troubleshoot DNS problems.

Net services commands (Net.exe) Performs a broad range of network tasks. Type net with no parameters to see a full list of available command-line options.

Netstat (Netstat.exe) Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4/IPv6 statistics.

Network Command Shell (Netsh.exe) Displays or modifies the network configuration of a local or remote computer that is currently running. This command-line scripting utility has a huge number of options, which are fully detailed in Help.

PathPing (Pathping.exe) Combines the functions of Traceroute and Ping to identify problems at a router or network link.

TCP/IP NetBIOS Information (Nbtstat.exe) Displays statistics for the NetBIOS over TCP/IP (NetBT) protocol, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache.

TCP/IP Ping (Ping.exe) Verifies IP-level connectivity to another internet address by sending Internet Control Message Protocol (ICMP) packets and measuring response time in milliseconds.

TCP/IP Route (Route.exe) Displays and modifies entries in the local IP routing table.

TCP/IP Traceroute (Tracert.exe) Determines the path to an internet address, and lists the time required to reach each hop. It’s useful for troubleshooting connectivity problems on specific network segments.

Ipconfig

– Quickly Find Your IP Address

You can find your IP address from the Control Panel, but this takes quite a few clicks. The ipconfig command is a fast way of determining your computer’s IP address and other information, such as the address of its default gateway — useful if you want to know the IP address of your router’s web interface.

ipconfig /flushdns – Flush Your DNS Resolver Cache

If you change your DNS server, the effects won’t necessarily take place immediately. Windows uses a cache that remembers DNS responses it’s received, saving time when you access the same addresses again in the future.

To ensure Windows is getting addresses from the new DNS servers instead of using old, cached entries, run the ipconfig /flushdns command after changing your DNS server.

ping, tracert – Troubleshoot Network Connection Issues

If you’re experiencing issues connecting to a website or other network connection issues, Windows and other operating systems have some standard tools you can use to identify problems.

First, there’s the ping command. Type ping google.com and Windows will send packets to Google.com. Google will respond and let you know it’s received them. You’ll be able to see if any packets didn’t make it to Google.com — perhaps you’re experiencing packet loss — and how long it took you to hear back — perhaps the network is saturated and packets are taking a while to reach their destinations.

There’s also the tracert command, which traces the route it takes for a packet to reach a destination. For example, run tracert google.com and you’ll see the path your packet takes to reach Google. If you’re having issues connecting to a website, tracert can show you where the problem is occurring.

For more information about using these commands, read our introduction to troubleshooting Internet connection problems.

shutdown – Create Shutdown Shortcuts on Windows 8

The shutdown command is particularly useful on Windows 8. You can use it to create your own shortcuts and place them on your Start screen or desktop, allowing you to more easily shut down Windows without digging through the charms bar or logging out first.

This command can also be used to restart your computer. On Windows 8, you can even use a special switch to restart your computer into the advanced startup options menu.

Shut Down: shutdown /s /t 0

Restart: shutdown /r /t 0

Restart Into Startup Options: shutdown /r /o

recimg – Create Custom Recovery Images

The Refresh Your PC feature on Windows 8 allows you to restore your computer’s system state to its original state — either from a clean Windows install or as the computer came from its manufacturer. You can create your own custom recovery images, but this feature is hidden — you have to do it with the recimg command from a command line. This allows you to removemanufacturer-installed bloatware or add your favorite desktop programs to your recovery image.

For more information about using recimg, read our overview of everything you need to know about creating and using custom recovery images on Windows 8.

wbadmin start backup – Create System Recovery Images

Windows 8.1 removes the Windows 7 backup interface, which allowed you to create system backup images. These system images contain a complete snapshot of every single file on the system, so they’re different from Windows 8’s recovery images.

While the graphical interface has been removed, system administrators and geeks can still create system image backups by running the wbadmin start backup cmdlet in a PowerShell window. Unlike all the other commands here, this command-line tool must be run from within PowerShell, not the Command Prompt.

sfc /scannow – Scan System Files for Problems

Windows includes a system file checker tool that scans its system files and looks for problems. If system files are missing or corrupted, the system file checker will repair them. This may fix problems with some Windows systems.

To use this tool, open a Command Prompt window as Administrator and run the sfc /scannowcommand.

telnet – Connect to Telnet Servers

The telnet client isn’t installed by default. You’ll have to install it from the Control Panel. Once installed, you can use the telnet command to connect to telnet servers without installing any third-party software.

You should avoid using telnet if you can help it, but if you’re connected directly to a device and it requires that you use telnet to set something up — well, that’s what you have to do.

cipher – Permanently Delete and Overwrite a Directory

The cipher command is mostly used for managing encryption, but it also has an option that will write garbage data to a drive, clearing its free space and ensuring no deleted file can be recovered. Deleted files normally stick around on disk unless you’re using a solid state drive. The cipher command effectively allows you to “wipe” a drive without installing any third-party tools.

To use the command, specify the drive you want to wipe like so:

ciper /w:C:\

netstat -an – List Network Connections and Ports

The netstat command is particularly useful, displaying all sorts of network statistics when used with its various options. One of the most interesting variants of netstat is netstat -an, which will display a list of all open network connections on their computer, along with the port they’re using and the foreign IP address they’re connected to.

Network CMD Commands

1. ipconfig

This command gives you the details of your Ethernet, WLAN (Wi-fi ) connection details like IP(Internet Protocol) address , DNS(Domain Name System ) and other information of your connections.

Ipconfig /all

This cmd code gives the complete details including adapter , BIOS , MAC address , auto configuration, DHCP( Dynamic Host Configuration Protocol) and all the details shown when ‘ipconfig’ was used.

Ipconfig /renew

Using this cmd code will renew all your IP addresses that you are currently (leasing) borrowing from the DHCP server. This command is a quick problem solver if you are having connection issues, but does not work if you have been configured with a static IP address.

Ipconfig /release

This cmd command allows you to drop the IP lease from the DHCP( Dynamic Host Configuration Protocol ) server.

Ipconfig /flushdns

This command is only needed if you’re having trouble with your networks DNS configuration. The best time to use this code is after network configuration frustration sets in, and you really need the computer to reply with flushed.

2. nslookup

Nslookup is used for diagnosing DNS problems. If you can access a resource by specifying an IP address but not it’s DNS you have a DNS problem.

3. ping

Ping is the most basic TCP/IP(Transmission Control Protocol) command, and it’s the same as placing a phone call to your best friend. You pick up your telephone and dial a number, expecting your best friend to reply with “Hello” on the other end. Computers make phone calls to each other over a network by using a Ping command. The Ping commands main purpose is to place a phone call to another computer on the network, and request an answer. Ping has 2 options it can use to place a phone call to another computer on the network. It can use the computers name or IP address.

4. netstat

Netstat displays a variety of statistics about a computers active TCP/IP Connections. This tool is most useful when you’re having trouble with TCP/IP applications such as HTTP, and FTP.

5. net view

This cmd command helps you know the devices connected to the same network to which your PC is connected. It shows the names of the devices connected to the same network.

6. arp –a

Arp –a shows the devices connected to the same network with their IP address and Mac address

To solve this problem, you should first check your IP address. Choose unique last three digits of your Router ip address (Each device will have unique IP address).

After choosing IP address go for DNS now. To get default DNS of your network use ‘ipconfig /all’ command in default mode (IP and DNS will be automatically obtained) and note down the DNS.

After changing the IP address use the same default DNS which you have noted or you can use

Google DNS 8.8.8.8 , 8.8.4.4 which ever gets connected use that. In this way you can get out of “Limited Internet access” problem.

I hope these CMD commands are more than enough to solve any kind of network connection Problem.

ASSOC

Most files in Windows are associated with a specific program that is assigned to open the file by default. At times, remembering these associations can become confusing. You can remind yourself by entering the command “assoc” to display a full list of file extensions and the programs they’re connected with.

You can also extend the command to change file associations. For example, “assoc .txt=” will change the file association for text files to whatever program you enter after the equal sign. The ASSOC command itself will reveal both the extension names and program names, which will help you properly use this command. You can probably do this more easily in the GUI, but the command line interface is a perfectly functional alternative.

Cipher

Deleting files on a mechanical hard drive doesn’t really delete them at all. Instead, it marks the files as no longer accessible and the space they took up as free. The files remain recoverable until they’re overwritten with new data, which can take some time.

The cipher command, however, can be used to wipe a directory by writing random data to it. To wipe your C drive, for example, you’d use the command “cipher /w:c”, which will wipe free space on the drive. The command does not overwrite undeleted data, so you will not wipe out files you need by running this command.

There’s also a host of other cipher commands, however, they are generally redundant with Bitlocker enabled versions of Windows.

Driverquery

Drivers remain among the most important software installed on a PC. Improperly configured or missing drivers can cause all sorts of trouble, so its good to have access to a list of what’s on your PC. That’s exactly what the “driverquery” command does. You can extend it to “driverquery -v” to obtain more information including the directory in which the driver is installed.

File Compare

This command can be used to identify differences in text between two files, and is particularly useful for writers and programmers trying to find small changes between two versions of a file. Simply type “fc” and then the directory path and file name of the two files you want to compare.

You can also extend the command in several ways. Typing “/b” compares only binary output, “/c” disregards the case of text in the comparison, and “/l” only compares ASCII text.

So, for example, you could use the following:

fc /l "C:\Program Files (x86)\example1.doc" "C:\Program Files (x86)\example2.doc"

to compare ASCII text in two word documents.

Ipconfig

This command relays the IP address that your computer is currently using. However, if you’re behind a router (like most computers today), you’ll instead receive the local network address of the router.

Still, ipconfig is useful because of its extensions. “ipconfig /release” followed by “ipconfig /renew” can force your Windows PC into asking for a new IP address, which is useful if your computer claims one isn’t available. You can also use “ipconfig /flushdns” to refresh your DNS address. These commands are great if the Windows network troubleshooter chokes, which does happen on occasion.

Netstat

Entering the command “netstat -an” will provide you with a list of currently open ports and related IP addresses. You’ll also be told what state the port is in – listening, established or closed. This is a great command if you’re trying to troubleshoot the devices your PC is connected to or you’re afraid you’re infected with a Trojan and are trying to locate a malicious connection.

Ping

Sometimes, you need to know whether or not packets are making it to a specific networked device. That’s where ping comes in handy. Typing “ping” followed by an IP address or web domain will send a series of test packets to the specified address. If they arrive and are returned, you know the device is capable of communicating with your PC; if it fails, you know that there’s something blocking communication between the device and your computer. This can help you decide if an issue is caused by improper configuration or a failure of network hardware.

Pathping

This is a more advanced version of ping that’s useful if there are multiple routers between your PC and the device you’re testing. Like ping, you use this command by typing “pathping” followed by the IP address, but unlike ping, pathping also relays some information about the route the test packets take.

Tracert

Powercfg

Powercfg is a very powerful command for managing and tracking how your computer uses energy. You can use the command “powercfg /hibernate on” and “powercfg /hibernate off” to manage hibernation, and you can also use the command “powercfg /a” to view the power-saving states currently available on your PC.

Another useful command is “powercfg /devicequery s1_supported” which displays a list of devices on your computer that support connected standby. When enabled, these devices can be used to bring your computer out of standby – even remotely. You can enable this by selecting the device in Device Manager, opening its properties, going to the Power Management tab and then checking the “Allow this device to wake the computer” box.

“Powercfg /lastwake” will show you what device last woke your PC from a sleep state. You can use this command to troubleshoot your PC if it seems to wake from sleep at random.

The “powercfg /energy” command can be used to build a detailed power consumption report for your PC, which is output to a directory indicated after the command finishes. This report will let you know of any system faults that might increase power consumption, like devices that are blocking certain sleep modes, or which aren’t properly configured to respond to your power management settings.

“powercfg /batteryreport”, which provides a detailed analysis of battery use, if applicable. Normally output to your Windows user directory, the report provides details about the time and length of charge and discharge cycles, lifetime average battery life, and estimated battery capacity.

Shutdown

As of Windows 8/8.1 there is now a shutdown command that – you guessed it! – shuts down your computer. This is of course redundant with the already easily accessed shutdown button, but what’s not redundant is the “shutdown /r /o” command, which restarts your PC and launches the Advanced Start Options menu, which is where you can access Safe Mode and Windows recovery utilities. This is useful if you want to restart your computer for troubleshooting purposes.

System File Checker

System File Checker is an automatic scan and repair tool that focuses on Windows system files. You will need to run the command prompt with administrator privileges and enter the command

“sfc /scannow”. If any corrupt or missing files are found, they’ll be automatically replaced using cached copies kept by Windows for just that purpose. The command can require a half-hour to run on older notebooks.

Recovery Image

Virtually all Windows 8/8.1 computers ship from the factory with a recovery image, but the image may include bloatware you’d rather not have re-installed. Once you’ve un-installed the software you can create a new image using the

“recimg” command. Entering this command presents a very detailed explanation of how to use it. You must have administrator privileges to use the recimg command, and you can only access the custom recovery image you create via the Windows 8 “refresh” feature.

Tasklist

The “tasklist” command can be used to provide a current list of all tasks running on your PC. Though somewhat redundant with Task Manager, the command may sometimes find tasks hidden from view in that utility.

There’s also a wide range of modifiers.

“Tasklist -svc” shows services related to each task, “tasklist -v” can be used to obtain more detail on each task, and “tasklist -m” can be used to locate .dll files associated with active tasks. These commands are useful for advanced troubleshooting.

Taskkill

Tasks that appear in the “tasklist” command will have an executable and process ID (a four-digit number) associated with them. You can force stop a program using “taskkill -im” followed by the executable’s name, or “taskkill -pid” followed by the process ID. Again, this is a bit redundant with Task Manager, but may be used to kill otherwise unresponsive or hidden programs.

************************************************************************************************************************************************************************************************************************************************************************

Cisco Network Troubleshooting

Ping

Traceroute

Telnet

Show interfaces

Show ip interface

Show ip route

Show running-config

Show startup-config

Troubleshooting Tools

This chapter presents information about the wide variety of tools available to assist you in troubleshooting your internetwork. This includes information on using router diagnostic commands, Cisco network management tools, and third-party troubleshooting tools.

Using Router Diagnostic Commands

Cisco routers provide numerous integrated commands to assist you in monitoring and troubleshooting your internetwork. The following sections describe the basic use of these commands:

•

The show commands help monitor installation behavior and normal network behavior, as well as isolate problem areas.

•

The debug commands assist in the isolation of protocol and configuration problems.

•

The ping commands help determine connectivity between devices on your network.

•

The trace commands provide a method of determining the route by which packets reach their destination from one device to another.

Using show Commands

The show commands are powerful monitoring and troubleshooting tools. You can use the show commands to perform a variety of functions:

•

Monitor router behavior during initial installation

•

Monitor normal network operation

•

Isolate problem interfaces, nodes, media, or applications

•

Determine when a network is congested

•

Determine the status of servers, clients, or other neighbors

The following are some of the most commonly used show commands:

•

show version—Displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.

•

show running-config—Displays the router configuration currently running.

•

show startup-config—Displays the router configuration stored in nonvolatile RAM (NVRAM).

•

show interfaces—Displays statistics for all interfaces configured on the router or access server. The resulting output varies, depending on the network for which an interface has been configured.

•

show controllers—Displays statistics for interface card controllers.

•

show flash—Displays the layout and contents of Flash memory.

•

show buffers—Displays statistics for the buffer pools on the router.

•

show memory summary—Displays memory pool statistics and summary information about the activities of the system memory allocator, and gives a block-by-block listing of memory use.

•

show process cpu—Displays information about the active processes on the router.

•

show stacks—Displays information about the stack utilization of processes and interrupt routines, as well as the reason for the last system reboot.

•

show cdp neighbors—Provides a degree of reachability information of directly connected Cisco devices. This is an extremely useful tool to determine the operational status of the physical and data link layer. Cisco Discovery Protocol (CDP) is a proprietary data link layer protocol.

•

show debugging—Displays information about the type of debugging that is enabled for your router.

You can always use the ? at command line for a list of subcommands.

Like the debug commands, some of the show commands listed previously are accessible only at the router's privileged exec mode (enable mode). This will be explained further in the "Using debug commands" section.

Hundreds of other show commands are available. For details on using and interpreting the output of specific showcommands, refer to the Cisco Internetwork Operating System (IOS) command references.

Using debug Commands

The debug privileged exec commands can provide a wealth of information about the traffic being seen (or not seen) on an interface, error messages generated by nodes on the network, protocol-specific diagnostic packets, and other useful troubleshooting data. To access and list the privileged exec commands, enter this code:

Router> enable

Password: XXXXXX

Router# ?

Note the change in the router prompts here. The # prompt (instead of the normal > prompt) indicates that you are in the privileged exec mode (enable mode).

1. ifconfig

ifconfig (interface configurator) command is use to initialize an interface, assign IP Address to interface and enable or disableinterface on demand. With this command you can view IP Addressand Hardware / MAC address assign to interface and also MTU(Maximum transmission unit) size.

# ifconfig

eth0 Link encap:Ethernet HWaddr 00:0C:29:28:FD:4C

inet addr:192.168.50.2 Bcast:192.168.50.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe28:fd4c/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:6093 errors:0 dropped:0 overruns:0 frame:0

TX packets:4824 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:6125302 (5.8 MiB) TX bytes:536966 (524.3 KiB)

Interrupt:18 Base address:0x2000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:8 errors:0 dropped:0 overruns:0 frame:0

TX packets:8 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:480 (480.0 b) TX bytes:480 (480.0 b)

ifconfig with interface (eth0) command only shows specific interface details like IP Address, MAC Address etc. with -a options will display all available interface details if it is disable also.

# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:0C:29:28:FD:4C

inet addr:192.168.50.2 Bcast:192.168.50.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe28:fd4c/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:6119 errors:0 dropped:0 overruns:0 frame:0

TX packets:4841 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:6127464 (5.8 MiB) TX bytes:539648 (527.0 KiB)

Interrupt:18 Base address:0x2000

List of LINUX troubleshooting commands/toolspart # 1

1) Use tail â€“f to watch log file in real time, advantage is simple you can spot error or warning message in real time.

tail â€“f /path/to/log/file

Example(s):

# tail â€“f /var/log/maillog

2) Use telnet command to see if you get response or not. Sometime you will also see some informative message:

telnet ip port

Example(s):

# telnet localhost 53

# telnet localhost 25

3) Make sure you can see PID of your service.

pidof service-name

cat /var/run/service.pid

Example(s):

# pidof sshd

# cat /var/run/sshd.pid

4) You need to make sure that your DNS server or third party DNS server (ISP) is accessible. This is an important step, as many network services depend upon DNS; especially sendmail/postfix or Squid etc for example. Run dig or nslookup. No timeout should occurred.

# dig your-domain.com

# nslookup gw.isp.com

# more /etc/resolv.conf

5) For networking troubleshooting, make sure your ip address configuration is right, gateway, routine, hostname etc all configured. Here is list of tools on RedHat Linux to verify or modify information:

Hostname verification or setup tools

hostname : To get hostname of server.

hostname â€“s : To get FQDN hostname of server

more /etc/sysconfig/network : To setup hostname and networking can enabled or disabled.

dnsdomainname : List or setup domainname.

more /etc/hosts :Make sure at least localhost entry do exist.

Ethernet configuration tools

ifconfig : To see running network card information.

ifconfig eth0 up|down : To enable|disable network interface

route|netstat â€“rn : To print routing table

ping ip-address : To see if host is alive or dead

more /etc/modules.conf : To see your network card configuration alias for eth0 exists or not.

lsmod : To list loaded modules (read as drivers), here you need to see that eth0 module is loaded or not, if not loaded then use insmod to insert (load) driver.

dhclient : Dynamic Host Configuration Protocol Client, run this if your Ethernet card is not getting ip from DHCP box on startup; this command does by default shows useful information.

To see if service blocked because of access control

iptables â€“n â€“L : To list all iptable rules; useful to see if firewall blocks service or not.

service iptables stop|start : To start|stop iptables

more /etc/xinetd.conf

more /etc/xinetd.conf/SERVICENAME = To list configuration of xinetd server. Again useful to see if firewall xinetd based security blocks service or not (xinetd includes host-based and time-based access control)

more /etc/hosts.allow : To see list of hosts allowed to access service.

more /etc/hosts.deny : To see list of hosts NOT allowed to access service. NOTE first TCP wrappers (hosts.allow|hosts.deny) checked and then xinetd-based access control checked.

more /etc/path/to/application.conf : See your application configuration file for access control. For example smb.conf and many other applications/services got own access control list in application. You need to check that as well.

Read man page

Assigning IP Address and Gateway

Assigning an IP Address and Gateway to interface on the fly. The setting will be removed in case of system reboot.

# ifconfig eth0 192.168.50.5 netmask 255.255.255.0

Enable or Disable Specific Interface

alias

A way to run a command or a series of Unix commands using a shorter name than those that are usually associated with such commands.

How to use the alias command in Linux.

apt-get

Apt-get is a tool to automatically update a Debian machine and to get and install Debian packages/programs.

Hot to manage software on an Ubuntu Server with "aptitude" and "apt-get."

Understanding the Debian archives and apt-get.

Inside the Red Hat and Debian package management differences.

Aspell

GNU Aspell is a free and open source spell checker designed to replace Ispell. It can either be used as a library or as an independent spell checker.

How to use Aspell to check spelling.

AWK, Gawk

A programming language tool used to manipulate text. The language of the AWK utility resembles the shell programming language in many areas, although AWK's syntax is very much its own.

Learn how to use the AWK utility.

Gawk is the GNU Project's version of the AWK programming language.

bzip2

A portable, fast, open source program used to compress and decompress files at a high rate.

How to use bzip2 in Linux.

More on how to use the bzip2 compression program.

cat

A Unix/Linux command that can read, modify or concatenate text files. Cat commands are most commonly used for displaying the contents of a file.

See how to use cat to display the contents of a file in Linux.

An article on what you can do with the cat command.

The cd command changes the current directory in Linux and can toggle between directories conveniently. Cd is similar to the CD and CHDIR commands in MS-DOS.

See more on how to use the cd command to change directories.

chmod

Chmod changes the access mode (permissions) of one or more files. Only the owner of a file or a privileged user may change the access mode.

See examples of changing the permissions of files using chmod.

chown

Chown changes file or group ownership and has the option to change ownership of all objects within a directory tree, as well as having the ability to view information on objects processed.

Learn how to change file ownership with chown.

cmp

The cmp utility compares two files of any type and writes the results to the standard output. By default, cmp is silent if the files are the same; if they differ, the byte and line number at which the first difference occurred is reported.

See examples of using cmp.

comm

Comm compares lines common to file1 and file2.The output is in three columns; from left to right: lines unique to file1, lines unique to file2 and lines common to both files.

More on using Snort.

sort

Used to sort lines of text alphabetically or numerically according to fields; multiple sort keys can also be used.

Examples of sorting through lines of text with the sort command.

sudo

Sudo allows a system admin to give certain users the ability to run some (or all) commands at the root level and logs all commands and arguments.

A tutorial on giving permissions to users with the sudo command.

SSH

SSH is a command interface used for securely gaining access to a remote computer and is used by network admins to control servers remotely.

A comprehensive tutorial on secure access to remote computers with SSH.

tar

The tar program provides the ability to create archives from a number of specified files or to extract files from such an archive.

Examples of creating archives with tar.

TOP

TOP is a set of protocols for networks that performs distributed information processing in offices and displays the tasks on the system that take up the most memory. TOP can sort tasks by CPU usage, memory usage and runtime.

Monitoring system processes with TOP.

Tr is used to translate or delete characters from a text stream. Tr writes to standard output, but does not accept file names as arguments -- it only accepts inputs from standard input.

Examples of translating characters with tr.

traceroute

Traceroute determines and records a route through the internet between two computers and is useful for troubleshooting network/router issues. If the domain does not work or is not available, an IP can be tracerouted.

A tutorial on using traceroute to determine network issues.

uname

Uname displays the name of the current operating system and can print information about the system.

Examples of viewing information on the current operating system with uname.

uniq

Uniq compares adjacent lines in a file and removes/reports any duplicate lines.

Removing duplicate lines with the uniq command.

A tip on removing redundant lines with uniq.

Vi is a text editor that allows a user to control the system by solely using the keyboard instead of a combination of mouse selections and keystrokes.

An entire guide to using vi to easily control a system with the keyboard.

vmstat

Vmstat is used to get a snapshot of everything in a system and to report information on such items as processes, memory, paging and CPU activity. This is a good method for admins to use to determine where issues/slowdown in a system may be occurring.

How to keep an eye on Linux performance with vmstat and other commands.

Examples of viewing system memory usage with vmstat.

Wc counts the number of words, lines and characters in text files and produces a count for multiple files if several files are selected.

More examples of displaying word counts with wc.

wget

Wget is a network utility that retrieves files from the web that support http, https and ftp protocols. Wget works non-interactively in the background while a user is logged off. This can create local versions of remote websites, re-creating directories of original sites.

Examples of creating mirror images of sites with wget.

while

See "for."

whoami

Whoami prints or writes the user/login name associated with the current user ID to the standard output.

Examples of determining which login name is used with whoami.

xargs

Xargs reads, builds and executes arguments from standard input; blank lines in the input are ignored.

Examples of running commands from input with xargs.

To enable or disable specific Interface, we use example command as follows.

Enable eth0

# ifup eth0

Disable eth0

# ifdown eth0

Setting MTU Size

By default MTU size is 1500. We can set required MTU size with below command. Replace XXXX with size.

# ifconfig eth0 mtu XXXX

Set Interface in Promiscuous mode

Network interface only received packets belongs to that particularNIC. If you put interface in promiscuous mode it will received all the packets. This is very useful to capture packets and analyze later. For this you may require superuser access.

# ifconfig eth0 - promisc

2. PING Command

PING (Packet INternet Groper) command is the best way to test connectivity between two nodes. Whether it is Local Area Network(LAN) or Wide Area Network (WAN). Ping use ICMP (Internet Control Message Protocol) to communicate to other devices. You can ping host name of ip address using below command.

# ping 4.2.2.2

PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data.

64 bytes from 4.2.2.2: icmp_seq=1 ttl=44 time=203 ms

64 bytes from 4.2.2.2: icmp_seq=2 ttl=44 time=201 ms

64 bytes from 4.2.2.2: icmp_seq=3 ttl=44 time=201 ms

# ping www.tecmint.com

PING tecmint.com (50.116.66.136) 56(84) bytes of data.

64 bytes from 50.116.66.136: icmp_seq=1 ttl=47 time=284 ms

64 bytes from 50.116.66.136: icmp_seq=2 ttl=47 time=287 ms

64 bytes from 50.116.66.136: icmp_seq=3 ttl=47 time=285 ms

In Linux ping command keep executing until you interrupt. Ping with-c option exit after N number of request (success or error respond).

# ping -c 5 www.tecmint.com

PING tecmint.com (50.116.66.136) 56(84) bytes of data.

64 bytes from 50.116.66.136: icmp_seq=1 ttl=47 time=285 ms

64 bytes from 50.116.66.136: icmp_seq=2 ttl=47 time=285 ms

64 bytes from 50.116.66.136: icmp_seq=3 ttl=47 time=285 ms

64 bytes from 50.116.66.136: icmp_seq=4 ttl=47 time=285 ms

64 bytes from 50.116.66.136: icmp_seq=5 ttl=47 time=285 ms

--- tecmint.com ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4295ms

rtt min/avg/max/mdev = 285.062/285.324/285.406/0.599 ms

3. TRACEROUTE Command

traceroute is a network troubleshooting utility which shows number of hops taken to reach destination also determine packets traveling path. Below we are tracing route to global DNS server IP Addressand able to reach destination also shows path of that packet is traveling.

# traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets

1 192.168.50.1 (192.168.50.1) 0.217 ms 0.624 ms 0.133 ms

2 227.18.106.27.mysipl.com (27.106.18.227) 2.343 ms 1.910 ms 1.799 ms

3 221-231-119-111.mysipl.com (111.119.231.221) 4.334 ms 4.001 ms 5.619 ms

4 10.0.0.5 (10.0.0.5) 5.386 ms 6.490 ms 6.224 ms

5 gi0-0-0.dgw1.bom2.pacific.net.in (203.123.129.25) 7.798 ms 7.614 ms 7.378 ms

6 115.113.165.49.static-mumbai.vsnl.net.in (115.113.165.49) 10.852 ms 5.389 ms 4.322 ms

7 ix-0-100.tcore1.MLV-Mumbai.as6453.net (180.87.38.5) 5.836 ms 5.590 ms 5.503 ms

8 if-9-5.tcore1.WYN-Marseille.as6453.net (80.231.217.17) 216.909 ms 198.864 ms 201.737 ms

9 if-2-2.tcore2.WYN-Marseille.as6453.net (80.231.217.2) 203.305 ms 203.141 ms 202.888 ms

10 if-5-2.tcore1.WV6-Madrid.as6453.net (80.231.200.6) 200.552 ms 202.463 ms 202.222 ms

11 if-8-2.tcore2.SV8-Highbridge.as6453.net (80.231.91.26) 205.446 ms 215.885 ms 202.867 ms

12 if-2-2.tcore1.SV8-Highbridge.as6453.net (80.231.139.2) 202.675 ms 201.540 ms 203.972 ms

13 if-6-2.tcore1.NJY-Newark.as6453.net (80.231.138.18) 203.732 ms 203.496 ms 202.951 ms

14 if-2-2.tcore2.NJY-Newark.as6453.net (66.198.70.2) 203.858 ms 203.373 ms 203.208 ms

15 66.198.111.26 (66.198.111.26) 201.093 ms 63.243.128.25 (63.243.128.25) 206.597 ms 66.198.111.26 (66.198.111.26) 204.178 ms

16 ae9.edge1.NewYork.Level3.net (4.68.62.185) 205.960 ms 205.740 ms 205.487 ms

17 vlan51.ebr1.NewYork2.Level3.net (4.69.138.222) 203.867 ms vlan52.ebr2.NewYork2.Level3.net (4.69.138.254) 202.850 ms vlan51.ebr1.NewYork2.Level3.net (4.69.138.222) 202.351 ms

18 ae-6-6.ebr2.NewYork1.Level3.net (4.69.141.21) 201.771 ms 201.185 ms 201.120 ms

19 ae-81-81.csw3.NewYork1.Level3.net (4.69.134.74) 202.407 ms 201.479 ms ae-92-92.csw4.NewYork1.Level3.net (4.69.148.46) 208.145 ms

20 ae-2-70.edge2.NewYork1.Level3.net (4.69.155.80) 200.572 ms ae-4-90.edge2.NewYork1.Level3.net (4.69.155.208) 200.402 ms ae-1-60.edge2.NewYork1.Level3.net (4.69.155.16) 203.573 ms

21 b.resolvers.Level3.net (4.2.2.2) 199.725 ms 199.190 ms 202.488 ms

4. NETSTAT Command

Netstat (Network Statistic) command display connection info, routing table information etc. To displays routing table information use option as -r.

# netstat -r

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.50.0 * 255.255.255.0 U 0 0 0 eth0

link-local * 255.255.0.0 U 0 0 0 eth0

default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0

For more examples of Netstat Command, please read our earlier article on 20 Netstat Command Examples in Linux.

5. DIG Command

Dig (domain information groper) query DNS related information likeA Record, CNAME, MX Record etc. This command mainly use to troubleshoot DNS related query.

# dig www.tecmint.com; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> www.tecmint.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<

For more examples of Dig Command, please read the article on 10 Linux Dig Commands to Query DNS.

6. NSLOOKUP Command

nslookup command also use to find out DNS related query. The following examples shows A Record (IP Address) of tecmint.com.

# nslookup www.tecmint.com

Server: 4.2.2.2

Address: 4.2.2.2#53

Non-authoritative answer:

www.tecmint.com canonical name = tecmint.com.

Name: tecmint.com

Address: 50.116.66.136

For more NSLOOKUP Command, read the article on 8 Linux Nslookup Command Examples.

7. ROUTE Command

route command also shows and manipulate ip routing table. To see default routing table in Linux, type the following command.

# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.50.0 * 255.255.255.0 U 0 0 0 eth0

link-local * 255.255.0.0 U 1002 0 0 eth0

default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0

Adding, deleting routes and default Gateway with following commands.

Route Adding

# route add -net 10.10.10.0/24 gw 192.168.0.1

Route Deleting

# route del -net 10.10.10.0/24 gw 192.168.0.1

Adding default Gateway

# route add default gw 192.168.0.1

8. HOST Command

host command to find name to IP or IP to name in IPv4 or IPv6 and also query DNS records.

# host www.google.com

www.google.com has address 173.194.38.180

www.google.com has address 173.194.38.176

www.google.com has address 173.194.38.177

www.google.com has address 173.194.38.178

www.google.com has address 173.194.38.179

www.google.com has IPv6 address 2404:6800:4003:802::1014

Using -t option we can find out DNS Resource Records like CNAME,NS, MX, SOA etc.

# host -t CNAME www.redhat.com

www.redhat.com is an alias for wildcard.redhat.com.edgekey.net.

9. ARP Command

ARP (Address Resolution Protocol) is useful to view / add the contents of the kernel’s ARP tables. To see default table use the command as.

# arp -e

Address HWtype HWaddress Flags Mask Iface

192.168.50.1 ether 00:50:56:c0:00:08 C eth0

10. ETHTOOL Command

ethtool is a replacement of mii-tool. It is to view, setting speed and duplex of your Network Interface Card (NIC). You can set duplex permanently in /etc/sysconfig/network-scripts/ifcfg-eth0 withETHTOOL_OPTS variable.

# ethtool eth0

Settings for eth0:

Current message level: 0x00000007 (7)

Link detected: yes

11. IWCONFIG Command

iwconfig command in Linux is use to configure a wireless network interface. You can see and set the basic Wi-Fi details like SSIDchannel and encryption. You can refer man page of iwconfig to know more.

# iwconfig [interface]

12. HOSTNAME Command

hostname is to identify in a network. Execute hostname command to see the hostname of your box. You can set hostname permanently in /etc/sysconfig/network. Need to reboot box once set a proper hostname.

# hostname

tecmint.com

13. GUI tool system-config-network

Type system-config-network in command prompt to configure network setting and you will get nice Graphical User Interface (GUI) which may also use to configure IP Address, Gateway, DNS etc. as shown below image.

# system-config-network

Linux GUI Network Configuration Tool

This article can be useful for day to day use of Linux Network administrator in Linux / Unix-like operating system. Kindly share through our comment box if we missed out.

Page:of 2

IP/Networking Commands

There are a lot of IP commands with short descriptions listed here but you should only

need the ones mentioned here at the top of the page to diagnose and configure your

network.

C:>ping

C:>ipconfig

C:>ipconfig /all

C:>ipconfig /release

C:>ipconfig /renew

C:\>nbtstat –a

Remember when typing from the command prompt you can only type one command per

line, and press Enter after each one to execute it.

C:\>arp –a:

is short for address resolution protocol, It will show the IP address of your

computer along with the IP address and MAC address of your router.

C:\>hostname:

This is the simplest of all TCP/IP commands. It simply displays the

name of your computer.

C:\>ipconfig:

The ipconfig command displays information about the host (the computer

your sitting at)computer TCP/IP configuration.

C:\>ipconfig /all:

This command displays detailed configuration information about your

TCP/IP connection including Router, Gateway, DNS, DHCP, and type of Ethernet

adapter in your system.

C:\>Ipconfig /renew:

Using this command will renew all your IP addresses that you are

currently (leasing) borrowing from the DHCP server. This command is a quick problem

solver if you are having connection issues, but does not work if you have been configured

with a static IP address

C:\>Ipconifg /release:

This command allows you to drop the IP lease from the DHCP

server.

C:\>ipconfig /flushdns:

This command is only needed if you’re having trouble with your

networks DNS configuration. The best time to use this command is after network

configuration frustration sets in, and you really need the computer to reply with flushed.

C:\>nbtstat –a:

This command helps solve problems with NetBIOS name resolution.

(Nbt stands for NetBIOS over TCP/IP)

Definitions

C:\netdiag:

Netdiag is a network testing utility that performs a variety of network

diagnostic tests, allowing you to pinpoint problems in your network. Netdiag isn’t

installed by default, but can be installed from the Windows XP CD after saying no to the

install. Navigate to the CD ROM drive letter and open the support\tools folder on the XP

CD and click the setup.exe icon in the support\tools folder.

C:\>netstat:

Netstat displays a variety of statistics about a computers active TCP/IP

connections. This tool is most useful when you’re having trouble with TCP/IP

applications such as HTTP, and FTP

C:\>nslookup:

Nslookup is used for diagnosing DNS problems. If you can access a

resource by specifying an IP address but not it’s DNS you have a DNS problem.

C:\>pathping:

Pathping is unique to Window’s, and is basically a combination of the

Ping and Tracert commands. Pathping traces the route to the destination address then

launches a 25 second test of each router along the way, gathering statistics on the rate of

data loss along each hop.

C:\>ping:

Ping is the most basic TCP/IP command, and it’s the same as placing a phone

call to your best friend. You pick up your telephone and dial a number, expecting your

best friend to reply with “Hello” on the other end. Computers make phone calls to each

other over a network by using a Ping command.

The Ping commands main purpose is to place a phone call to another computer on the

network, and request an answer. Ping has 2 options it can use to place a phone call to

another computer on the network. It can use the computers name or IP address.

C:\>route:

The route command displays the computers routing table. A typical

computer, with a single network interface, connected to a LAN, with a router is fairly

simple and generally doesn’t pose any network problems. But if you’re having trouble

accessing other computers on your network, you can use the route command to make sure

the entries in the routing table are correct

C:\>tracert:

The tracert command displays a list of all the routers that a packet has to go

through to get from the computer where tracert is run to any other computer on the

internet.

* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I thought of sharing ipsec debugging and troubleshooting steps with everyone. Being in VPN technology we explain this to many of our customers and thought of discussing it here on our support forum as well.

What is IPSEC?

IPSec stands for IP Security and the standard definition of IPSEC is--

“A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality” (IETF)

It is a standard for privacy, integrity and authenticity.

IPSEC Protocol Architecture

IPSEC is a combination of three primary protocols

ESP(protocol 50),
AH(protocol 51)
IKE(UDP 500)

Authentication: Authentication Header (AH) and Encapsulating Security Payload (ESP)

Integrity: Encapsulating Security Payload (ESP)

Confidentiality: Encapsulating Security Payload (ESP)

Bringing it all together: Internet key Exchange (IKE)

IPSEC is implemented in the following five stages:

Decision to use IPSEC between two end points across internet

Configuration of the two gateways between the end points to support IPSEC

Initiation of an IPSEC tunnel between the two gateways due to ‘interesting traffic’

Negotiation of IPSEC/IKE parameters between the two gateways

Passage of encrypted traffic

IPSec Troubleshooting Steps

· Check for interesting traffic to initiate tunnel, check crypto ACLs for hit counts

– If not, verify Routing (static or RRI)

· Verify if IKE SA is up (QM_Idle) for that peer

– If not, verify for matching Pre-shared keys

– Verify that the IKE policies (encr, auth, DH) are matching

– Verify for matching IKE Identities

· Verify if IPSec SAs are up (Inbound and Outbound SPIs)

– If not, verify for matching IPSec transform sets

– Verify for mirrored crypto ACLs on each side

– Verify that the Crypto Map is applied on the right interface

· Turn on IKE/IPSec debugs

IPSec Show Commands

· To show IKE SA information:

– show crypto isakmp sa [detail]

– show crypto isakmp peer

· To show IPSec SA information:

– show crypto ipsec sa [ address | detail | interface | map | per | vrf ]

· To show IKE and IPSec information together :

– show crypto session [ fvrf | group | ivrf ] username | detail ]

– show crypto engine connection active

Cisco IOS IPSec Debugging

· These are the current IKE/IPSec debugs available; the highlighted ones are the most useful typically

· Make sure to use Crypto Conditional Debugs when trying to troubleshoot production routers

debug crypto isakmp

debug crypto isakmp error

debug crypto isakmp ha

debug crypto ipsec

debug crypto ipsec error

debug crypto routing

debug crypto ha

debug crypto engine error

debug crypto engine packet

Crypto Conditional Debugging

We can use crypto conditional debugging when we are troubleshooting live networks and specially where there are multiple tunnels running on the device.

· The crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition— allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions

· The router will perform conditional debugging only after at least one of the global crypto debug commands—debug crypto isakmp, debug crypto ipsec, or debug crypto engine—has been enabled; thi s requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used

· To enable crypto conditional debugging:

– debug crypto condition

– debug crypto { isakmp | ipsec | engine }

· To view crypto condition debugs that have been enabled:

· To disable crypto condition debugs:

– debug crypto condition reset

Crypto Conditional Debugging

Fvrf	The name string of a virtual private network (VPN) routing and forwarding (VRF) instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF)
ivrf	The name string of a VRF instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF)
isakmp profile	The name string of the isakmp profile to be matched against for debugging
Local ipv4	The ip address string of the local IKE endpoint
Peer group	A ezvpn group name string; relevant debug messages will be shown if the peer is using this group name as its identity
Peer ipv4	A single IP address; relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer
Peer subnet	A subnet and a subnet mask that specify a range of peer IP addresses; relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range
Peer hostname	A fully qualified domain name (FQDN) string; relevant debug messages will be shown if the peer is using this string as its identity
username	The username string (XAuth username or PKI-aaa username obtained from a certificate)

Clearing VPN Tunnel

· To clear IKE Phase ( Phase 1)

– clear crypto isakmp sa

· To clear IPSEC Phase (Phase2)

– clear crypto ipsec sa

Crypto Logging

Two crypto logging enhancements were introduced in recent Cisco IOS images

Hub(config)# crypto logging ?

– ezvpn ezvpn logging enable/disable

– session logging up/down session

– Crypto logging session, introduced in 12.3(14)T, displays tunnel up/down messages:

– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 40.10.1.1:500 Id: 40.10.1.1

– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 40.10.1.1:500 Id: 40.10.1.1

– Crypto logging ezvpn, introduced in 12.4(4)T, displays EasyVPN connection messages

– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco

– %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1

– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco

– %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1

That’s all from my side today.

I am thinking of coming up with few known issues or scenarios in my next blog, hence looking forward to your inputs and feedbacks. Thanks

I P S E C U R I T Y ( I P S E C ) P R O T O C O L S

IP datagrams must usually be routed between two devices over unknown networks, any information in them is subject to being intercepted and even possibly changed. With the increased use of the Internet for critical applications, security enhancements were needed for IP. To this end, a set of protocols called IP Security or IPsec was developed.

three topics cover the three main IPsec protocols:

1. IPsec Authentication Header (AH),

2. IPsec Encapsulating Security Payload (ESP),

3. IPsec Internet Key Exchange (IKE).

NOTE IPsec was initially developed with IPv6 in mind, but has been engineered to provide security for both IPv4 and IPv6 networks, and operation in both versions is similar. There are some differences in the datagram formats used for AH and ESP. These differences depend on whether you use IPsec in IPv4 or IPv6, because the two versions have different datagram formats and addressing. I highlight these differences where appropriate.

IPsec Overview, History, and Standards

What was really needed was a solution to allow security at the IP level so all higher-layer protocols in TCP/IP could take advantage of it. When the decision was made to develop a new version of IP (IPv6), this was the golden opportunity to resolve not just the addressing problems in the older IPv4, but the lack of security as well. New security technology was developed with IPv6 in mind, but since IPv6 has taken years to develop and roll out, and the need for security is now, the solution was designed to be usable for both IPv4 and IPv6.

The technology that brings secure communications to the IP is called IP Security, commonly abbreviated IPsec. The capitalization of this abbreviation is variable, so you’ll see IPSec and IPSEC.

Overview of IPsec Services and Functions

IPsec is not a single protocol, but rather a set of services and protocols that provide a complete security solution for an IP network. These services and protocols combine to provide various types of protection. Since IPsec works at the IP layer, it can provide these protections for any higher-layer TCP/IP application or protocol without the need for additional security methods, which is a major strength. Some of the kinds of protection services offered by IPsec include the following:

1. Encryption of user data for privacy

2. Authentication of the integrity of a message to ensure that it is not changed en route

3. Protection against certain types of security attacks, such as replay attacks

4. The ability for devices to negotiate the security algorithms and keys required to meet their security needs

5. Two security modes, tunnel and transport, to meet different network needs

KEY CONCEPT IPsec is a contraction of IP Security, and it consists of a set of services and protocols that provide security to IP networks. It is defined by a sequence of several Internet standards.

IPsec Standards

Since IPsec is actually a collection of techniques and protocols, it is not defined in a single Internet standard. Instead, a collection of RFCs defines the architecture, services, and specific protocols used in IPsec. Some of the most important of these are shown in Table 29-1, all of which were published in November 1998. Table 29-1: Important IP Security (IPsec) Standards

RFC Number	Name	Description
2401	Security Architecture for the Internet Protocol	The main IPsec document, describing the architecture and general operation of the technology, and showing how the different components fit together.
2402	IP Authentication Header	Defines the IPsec Authentication Header (AH) protocol, which is used for ensuring data integrity and origin verification.
2403	The Use of HMAC-MD596 within ESP and AH	Describes a particular encryption algorithm for use by the AH and Encapsulation Security Payload (ESP) protocols called Message Digest 5 (MD5), HMAC variant.

(continued)

Table 29-1: Important IP Security (IPsec) Standards (continued)

RFC Number	Name	Description
2404	The Use of HMAC-SHA- 1-96 within ESP and AH	Describes a particular encryption algorithm for use by AH and ESP called Secure Hash Algorithm 1 (SHA-1), HMAC variant.
2406	IP Encapsulating Security Payload (ESP)	Describes the IPsec ESP protocol, which provides data encryption for confidentiality.
2408	Internet Security Association and Key Management Protocol (ISAKMP)	Defines methods for exchanging keys and negotiating security associations.
2409	The Internet Key Exchange (IKE)	Describes the IKE protocol that’s used to negotiate security associations and exchange keys between devices for secure communications. Based on ISAKMP and OAKLEY.
2412	The OAKLEY Key Determination Protocol	Describes a generic protocol for key exchange.

IPsec General Operation, Components, and Protocols

it provides security services at the IP layer for other TCP/IP protocols and applications to use. What this means is that IPsec provides the tools that devices on a TCP/IP network need in order to communicate securely. When two devices (either end-user hosts or intermediate devices such as routers or firewalls) want to engage in secure communications, they set up a secure path between themselves that may traverse across many insecure intermediate systems. To accomplish this, they must perform (at least) the following tasks:

1. They must agree on a set of security protocols to use so that each one sends data in a format the other can understand.

2. They must decide on a specific encryption algorithm to use in encoding data.

3. They must exchange keys that are used to “unlock” data that has been cryptographically encoded.

4. Once this background work is completed, each device must use the protocols, methods, and keys previously agreed upon to encode data and send it across the network.

IPsec Core Protocols

To support these activities, a number of different components make up the total package known as IPsec, as shown in Figure 29-1. The two main pieces are a pair of technologies sometimes called the core protocols of IPsec, which actually do the work of encoding information to ensure security:

IPsec Authentication Header (AH) This protocol provides authentication services for IPsec. It allows the recipient of a message to verify that the supposed originator of a message was actually fact the one that sent it. It also allows the recipient to verify that intermediate devices en route haven’t changed any of the data in the datagram. It also provides protection against so-called replay attacks, whereby a message is captured by an unauthorized user and resent.

Encapsulating Security Payload (ESP) AH ensures the integrity of the data in datagram, but not its privacy. When the information in a datagram is “for your eyes only,” it can be further protected using ESP, which encrypts the payload of the IP datagram.

Figure 29-1: Overview of IPsec protocols and components IPsec consists of two core protocols, AH and ESP, and three supporting components.

IPsec Support Components

AH and ESP are commonly called protocols. They are not really distinct protocols but are implemented as headers that are inserted into IP datagrams, as you will see. can be used together to provide both authentication and privacy. However, they cannot operate on their own. To function properly, they need the support of several other protocols and services (see Figure 29-1). The most important of these include the following:

Encryption/Hashing Algorithms AH and ESP are generic and do not specify the exact mechanism used for encryption. This gives them the flexibility to work with a variety of such algorithms and to negotiate which one to use as needed. Two common ones used with IPsec are Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). These are also called hashing algorithms because they work by computing a formula called a hashbased on input data and a key.

Security Policies, Security Associations, and Management Methods Since IPsec provides flexibility in letting different devices decide how they want to implement security, they require some means to keep track of the security relationships between themselves. This is done in IPsec using constructs called security policies and security associations, and by providing ways to exchange security association information.

Key Exchange Framework and Mechanism For two devices to exchange encrypted information, they need to be able to share keys for unlocking the encryption. They also need a way to exchange security association information. In IPsec, a protocol called the Internet Key Exchange (IKE) provides these capabilities.

KEY CONCEPT IPsec consists of a number of different components that work together to provide security services. The two main ones are protocols called the Authentication Header (AH)and Encapsulating Security Payload (ESP), which provide authenticity and privacy to IP data in the form of special headers added to IP datagrams.

IPsec Architectures and Implementation Methods

The main reason that IPsec is so powerful is that it provides security to IP, which is the basis for all other TCP/IP protocols. In protecting IP, you are protecting pretty much everything else in TCP/IP as well. An important issue, then, is how exactly do you get IPsec into IP? There are several implementation methods for deploying IPsec. These represent different ways that IPsec may modify the overall layer architecture of TCP/IP.

Three different implementation architectures are defined for IPsec in RFC

2401. The one you use depends on various factors including the version of IP used (IPv4 or IPv6), the requirements of the application, and other factors. These, in turn, rest on a primary implementation decision: Should IPsec be programmed into all hosts on a network, or just into certain routers or other intermediate devices? This is a design decision that must be based on the requirements of the network:

End-Host Implementation Putting IPsec into all host devices provides the most flexibility and security. It enables end-to-end security between any two devices on the network. However, there are many hosts on a typical network, so this means far more work than just implementing IPsec in routers.

Router Implementation This option is much less work because it means you make changes to only a few routers instead of hundreds or thousands of clients. It provides protection only between pairs of routers that implement IPsec, but this may be sufficient for certain applications such as VPNs. The routers can be used to provide protection for just the portion of the route that datagrams take outside the organization, thereby leaving connections between routers and local hosts unsecured (or possibly, secured by other means).

Three different architectures are defined that describe methods for how to get IPsec into the TCP/IP protocol stack: integrated, bump in the stack, and bump in the wire.

Integrated Architecture

IPv6 was designed to support IPsec. Thus, it’s a viable option for hosts or routers. With IPv4, integration would require making changes to the IP implementation on each device, which is often impractical (to say the least!).

Bump in the Stack (BITS) Architecture

In the bump in the stack (BITS) technique, IPsec is made a separate architectural layer between IP and the data link layer. The cute name refers to the fact that IPsec is an extra element in the networking protocol stack, as you can see in Figure 29-2. IPsec intercepts IP datagrams as they are passed down the protocol stack, provides security, and passes them to the data link layer.

Figure 29-2: IPsec bump in the stack (BITS) architecture In this type of IPsec implementation, IPsec becomes a separate layer in the TCP/IP stack. It is implemented as software that sits below IP and adds security protection to datagrams created by the IP layer.

The advantage of this technique is that IPsec can be retrofitted to any IP device, since the IPsec functionality is separate from IP. The disadvantage is that there is a duplication of effort compared to the integrated architecture. BITS is generally used for IPv4 hosts.

Bump in the Wire (BITW) Architecture

In the bump in the wire (BITW) method, we add a hardware device that provides IPsec services. For example, suppose we have a company with two sites. Each has a network that connects to the Internet using a router that is not capable of IPsec functions. We can interpose a special IPsec device between the router and the Internet at both sites, as shown in Figure 29-3. These devices will then intercept outgoing datagrams, add IPsec protection to them, and strip it off incoming datagrams.

Figure 29-3: IPsec bump in the wire (BITW) architecture In this IPsec architecture, IPsec is actually implemented in separate devices that sit between the devices that wish to communicate securely. These repackage insecure IP datagrams for transport over the public Internet.

Just as BITS lets you add IPsec to legacy hosts, BITW can retrofit non-IPsec routers to provide security benefits. The disadvantages are complexity and cost.

KEY CONCEPT Three different architectures or implementation models are defined for IPsec. The best is integrated architecture, in which IPsec is built into the IP layer of devices directly. The other two are bump in the stack (BITS) and bump in the wire (BITW), which are ways of layering IPsec underneath regular IP, using software and hardware solutions, respectively.

As you will see in the next section, the choice of architecture has an important impact on which of the two IPsec modes can be used. Incidentally, even though BITS and BITW seem quite different, they are actually do the same thing. In the case of BITS, we have an extra software layer that adds security to existing IP datagrams; in BITW, distinct hardware devices do this same job. In both cases, the result is the same, and the implications on the choice of IPsec mode is likewise the same.

IPsec Modes: Transport and Tunnel

Two specific modes of operation that are related to these architectures are defined for IPsec. They are called transport mode and tunnel mode.

IPsec modes are closely related to the function of the two core protocols, AH and ESP. Both of these protocols provide protection by adding a header (and possibly other fields) containing security information to a datagram. The choice of mode does not affect the method by which each generates its header, but rather, changes what specific parts of the IP datagram are protected and how the headers are arranged to accomplish this. In essence, the mode really describes, not prescribes, how AH or ESP do their thing. It is used as the basis for defining other constructs, such as security associations (SAs).

Transport Mode

As its name suggests, in transport mode, the protocol protects the message passed down to IP from the transport layer. The message is processed by AH and/or ESP, and the appropriate header(s) are added in front of the transport (UDP or TCP) header. The IP header is then added in front of that by IP.

Another way of looking at this is as follows: Normally, the transport layer packages data for transmission and sends it to IP. From IP’s perspective, this transport layer message is the payload of the IP datagram. When IPsec is used in transport mode, the IPsec header is applied only over this IP payload, not the IP header. The AH and ESP headers appear between the original, single IP header and the IP payload. This is illustrated in Figure 29-4.

Tunnel Mode

In tunnel mode, IPsec is used to protect a completely encapsulated IP datagram after the IP header has already been applied to it. The IPsec headers appear in front of the original IP header, and then a new IP header is added in front of the IPsec header. That is to say, the entire original IP datagram is secured and then encapsulated within another IP datagram. This is shown in Figure 29-5.

Comparing Transport and Tunnel Modes

The bottom line in understanding the difference between the two IPsec modes is this: Tunnel mode protects the original IP datagram as a whole, header and all, while transport mode does not. Thus, in general terms, the order of the headers is as follows:

Transport Mode IP header, IPsec headers (AH and/or ESP), IP payload (including transport header)

Tunnel Mode New IP header, IPsec headers (AH and/or ESP), old IP header, IP payload

Figure 29-4: IPsec transport mode operation

IPv6 uses extension headers that must be arranged in a particular way when IPsec is used. The header placement also depends on which IPsec protocol is being used, AH or ESP. Note that it is also possible to apply both AH and ESP to the same datagram; if so, the AH header always appears before the ESP header.

Figure 29-5: IPsec tunnel mode operation IPsec tunnel mode is so named because it represents an encapsulation of a complete IP datagram, thereby forming a virtual tunnel between IPsec-capable devices. The IP datagram is passed to IPsec, where a new IP header is created with the AH and ESP IPsec headers added. Contrast this to transport mode, shown in Figure 29-4.

Tunnel mode represents an encapsulation of IP within the combination of IP plus IPsec. Thus, it corresponds with the BITS and BITW implementations, where IPsec is applied after IP has processed higher-layer messages and has already added its header. Tunnel mode is a common choice for VPN implementations, which are based on the tunneling of IP datagrams through an unsecured network such as the Internet.

KEY CONCEPT IPsec has two basic modes of operation. In transport mode, IPsec AH and ESP headers are added as the original IP datagram is created. Transport mode is associated with integrated IPsec architectures. In tunnel mode, the original IP datagram is created normally, and then the entire datagram is encapsulated into a new IP datagram containing the AH/ESP IPsec headers. Tunnel mode is most commonly used with bump in the stack (BITS) and bump in the wire (BITW) implementations.

IPsec Security Constructs

Important IPsec security constructs include security associations, the security association database, security policies, the security policy database, selectors, and the security parameter index. These items are all closely related and essential to understand before you begin looking at the core IPsec protocols. These constructs are used to guide the operation of IPsec in a general way and particularly to guide exchanges between devices. The constructs control how IPsec works and ensure that each datagram coming into or leaving an IPsec-capable device is treated properly.

Security Policies, Security Associations, and Associated Databases

Let’s begin by considering the problem of how to apply security in a device that may be handling many different exchanges of datagrams with others. There is overhead involved in providing security, so you do not want to do it for every message that comes in or out. Some types of messages may need more security; others may need less. Also, exchanges with certain devices may require different processing than others.

To manage all of this complexity,

IPsec is equipped with a flexible, powerful way of specifying how different types of datagrams should be handled. To understand how this works, you must first define the following two important logical concepts:

Security Policies and the Security Policy Database (SPD) A security policy is a rule that is programmed into the IPsec implementation. It tells the implementation how to process different datagrams received by the device. For example, security policies decide if a particular packet needs to be processed by IPsec or not. AH and ESP entirely bypass those that do not need processing. If security is required, the security policy provides general guidelines for how it should be provided, and if necessary, links to more specific detail. Security policies for a device are stored in the device’s security policy database (SPD).

Security Associations (SAs) and the Security Association Database (SAD) A security association (SA) is a set of security information that describes a particular kind of secure connection between one device and another. You can consider it a contract, if you will, that specifies the particular security mechanisms that are used for secure communications between the two. A device’s security associations are contained in its security association database (SAD).

It’s often hard to distinguish between the SPD and the SAD, because they are similar in concept. The main difference between them is that security policies are general, while security associations are more specific. To determine what to do with a particular datagram, a device first checks the SPD. The security policies in the SPD may reference a particular SA in the SAD. If so, the device will look up that SA and use it for processing the datagram.

Selectors

One issue I haven’t covered yet is how a device determines what security policies or SAs to use for a specific datagram. Again here, IPsec defines a very flexible system that lets each security association define a set of rules for choosing datagrams that the SA applies to. Each of these rule sets is called a selector. For example, you might define a selector that says that a particular range of values in the Source Address of a datagram, combined with another value in the Destination Address, means that a specific SA must be used for the datagram.

Security Association Triples and Security Parameter Index (SPI)

Each secure communication that a device makes to another requires that an SA be established. SAs are unidirectional, so each one only handles either inbound or outbound traffic for a particular device. This allows the level of security for a flow from Device A to Device B to be different than the level for traffic coming from Device B to Device A.

In a bidirectional communication of this sort, both Device A and Device B would have two SAs; Device A would have SAs that you could call SAdeviceBin and SAdeviceBout. Device B would have SAs SAdeviceAin and SAdeviceAout.

SAs don’t actually have names, however. They are instead defined by a set of three parameters, called a triple:

Security Parameter Index (SPI) A 32-bit number that is chosen to uniquely identify a particular SA for any connected device. The SPI is placed in AH or ESP datagrams and thus links each secure datagram to the security association. It is used by the recipient of a transmission so it knows what SA governs the datagram.

IP Destination Address The address of the device for which the SA is established.

Security Protocol Identifier Specifies whether this association is for AH or ESP. If both are in use with this device, they have separate SAs.

As you can see, the two security protocols AH and ESP are dependent on SAs, security policies, and the various databases that control the operation of those SAs and policies. Management of these databases is important, but it’s another complex subject entirely. Generally, SAs can either be set up manually (which is of course extra work) or you can deploy an automated system using a protocol like IKE (discussed near the end of this chapter).

IPsec Authentication Header (AH)

It provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. The parts of the datagram that are used for the calculation, and the placement of the header, depend on the mode (tunnel or transport) and the version of IP (IPv4 or IPv6).

The operation of AH is surprisingly simple, especially for any protocol that has anything to do with network security. The simplicity is analogous to the algorithms used to calculate checksums or perform cyclic redundancy (CRC) checks for error detection. In those cases, the sender uses a standard algorithm to compute a checksum or CRC code based on the contents of a message. This computed result is transmitted along with the original data to the destination, which repeats the calculation and discards the message if any discrepancy is found between its calculation and the one done by the source.

This is the same idea behind AH, except that instead of using a simple algorithm known to everyone, it uses a special hashing algorithm and a specific key known only to the source and the destination. An SA between two devices specifies these particulars, so that the source and destination know how to perform the computation but nobody else can. On the source device, AH performs the computation and puts the result (called the integrity check value, or ICV) into a special header with other fields for transmission. The destination device does the same calculation using the key that the two devices share. This enables the device to see immediately if any of the fields in the original datagram were modified (due to either error or malice).

Just as a checksum doesn’t change the original data, neither does the ICV calculation change the original data. The presence of the AH header allows us to verify the integrity of the message, but doesn’t encrypt it. Thus, AH provides authentication but not privacy (that’s what ESP is for).

AH Datagram Placement and Linking

The calculation of AH is similar for both IPv4 and IPv6. One difference is in the exact mechanism used for placing the header into the datagram and for linking the headers together. I’ll describe IPv6 first because it is simpler, and because AH was really designed to fit into its mechanism for this.

IPv6 AH Placement and Linking

In IPv6, the AH is inserted into the IP datagram as an extension header, following the normal IPv6 rules for extension header linking. It is linked by the previous header (extension or main), which puts the assigned value for the AH header (51) into its Next Header field. The AH header then links to the next extension header or the transport layer header using its Next Header field.

In transport mode, the AH is placed into the main IP header and appears before any Destination Options header that contains options intended for the final destination, and before an ESP header if present, but after any other extension headers. In tunnel mode, it appears as an extension header of the new IP datagram that encapsulates the original one being tunneled. This is shown graphically in Figure 29-6.

Figure 29-6: IPv6 datagram format with IPsec Authentication Header (AH) This is an example of an IPv6 datagram with two extension headers that are linked using the standard IPv6 mechanism (see Figure 26-3 in Chapter 26). When AH is applied in transport mode, it is simply added as a new extension header (as shown in dark shading) that goes between the Routing extension header and the Destination Options header. In tunnel mode, the entire original datagram is encapsulated into a new IPv6 datagram that contains the AH header. In both cases, the Next Header fields are used to link each header one to the next. Note the use of Next Header value 41 in tunnel mode, which is the value for the encapsulated IPv6 datagram.IPv4 AH Placement and Linking

In IPv4, a method that is similar to the IPv6 header-linking technique is employed. In an IPv4 datagram, the Protocol field indicates the identity of the higher-layer protocol (typically TCP or UDP) that’s carried in the datagram. As such, this field points to the next header, which is at the front of the IP payload. AH takes this value and puts it into its Next Header field, and then places the protocol value for AH itself (51 in dotted decimal) into the IP Protocol field. This makes the IP header point to the AH, which then points to whatever the IP datagram pointed to before.Again, in transport mode, the AH header is added after the main IP header of the original datagram; in tunnel mode it is added after the new IP header that encapsulates the original datagram that’s being tunneled. This is shown in Figure 29-

Figure 29-7: IPv4 datagram format with IPsec AH Here is an example of an IPv4 datagram; it may or may not contain IPv4 options (which are not distinct entities as they are in IPv6). In transport mode, the AH header is added between the IP header and the IP data; the Protocol field of the IP header points to it, while its Next Header field contains the IP header’s prior protocol value (in this case 6, for TCP). In tunnel mode, the IPv4 datagram is encapsulated into a new IPv4 datagram that includes the AH header. Note that in tunnel mode, the AH header uses the value 4 (which means IPv4) in its Next Header field.

KEY CONCEPT The IPsec Authentication Header (AH) protocol allows the recipient of a datagram to verify its authenticity. It is implemented as a header that’s added to an IP datagram that contains an integrity check value (ICV), which is computed based on the values of the fields in the datagram. The recipient can use this value to ensure that the data has not been changed in transit. AH does not encrypt data and thus does not ensure the privacy of transmissions.

AH Format

The format of AH is described in Table 29-2 and illustrated in Figure 29-8.

Table 29-2: IPsec Authentication Header (AH) Format

Field Name	Size (Bytes)	Description
Next Header	1	Contains the protocol number of the next header after the AH. Used to link headers together.
Payload Len	1	Despite its name, this field measures the length of the authentication header itself, not the payload. (I wonder what the history is behind that!) It is measured in 32-bit units, with 2 subtracted for consistency with how header lengths are normally calculated in IPv6.
Reserved	2	Not used; set to zeros.
SPI	4	A 32-bit value that, when combined with the destination address and security protocol type (which is obviously the one for AH here), identifies the security association (SA) that will be used for this datagram. (SAs are discussed earlier in this chapter.)
Sequence Number	4	A counter field that is initialized to zero when an SA is formed between two devices, and then incremented for each datagram sent using that SA. This uniquely identifies each datagram on an SA and is used to provide protection against replay attacks by preventing the retransmission of captured datagrams.
Authentication Data	Variable	Contains the result of the hashing algorithm, called the integrity check value (ICV), performed by the AH protocol.

Figure 29-8: IPsec Authentication Header (AH) format

The size of the Authentication Data field is variable to support different datagram lengths and hashing algorithms. Its total length must be a multiple of 32 bits. Also, the entire header must be a multiple of either 32 bits (for IPv4) or 64 bits (for IPv6), so additional padding may be added to the Authentication Data field if necessary.

You may also notice that no IP addresses appear in the header, which is a prerequisite for it being the same for both IPv4 and IPv6.

IPsec Encapsulating Security Payload (ESP)

The IPsec AH provides integrity authentication services to IPsec-capable devices so that they can verify that messages are received intact from other devices. For many applications, however, this is only one piece of the puzzle. We want to not only protect against intermediate devices changing the datagrams, but also to protect against them examining their contents as well. For this level of private communication, AH is not enough; we need to use the ESP protocol.

The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format that you will see shortly, and then transmitted to the destination, which decrypts it using the same algorithm. ESP also sports its own authentication scheme like the one used in AH, or it can be used in conjunction with AH.

ESP Fields

ESP has several fields that are the same as those used in AH, but it packages its fields in a very different way. Instead of having just a header, it divides its fields into three components:

ESP Header This contains two fields, SPI and Sequence Number, and comes before the encrypted data. Its placement depends on whether ESP is used in transport mode or tunnel mode, as explained earlier in this chapter.

ESP Trailer This section is placed after the encrypted data. It contains padding that is used to align the encrypted data through a Padding and Pad Length field. Interestingly, it also contains the Next Header field for ESP.

ESP Authentication Data This field contains an ICV that’s computed in a manner that’s similar to how the AH protocol works. The field is used when ESP’s optional authentication feature is employed.

There are two reasons why these fields are broken into pieces like this. The first is that some encryption algorithms require the data to be encrypted to have a certain block size, and so padding must appear after the data and not before it. That’s why padding appears in the ESP Trailer field. The second is that the ESP Authentication Data appears separately because it is used to authenticate the rest of the encrypted datagram after encryption. This means that it cannot appear in the ESP Header or ESP Trailer.

ESP Operations and Field Use

This is still a bit boggling so I’m going to try to explain this procedurally by considering three basic steps performed by ESP: calculating the header, then the trailer, and then the Authentication field.

Header Calculation and Placement

The first thing to consider is how the ESP header is placed. This is similar to how AH works and depends on the IP version, as follows:

IPv6 The ESP Header field is inserted into the IP datagram as an extension header, following the normal IPv6 rules for extension-header linking. In transport mode, it appears before a Destination Options header that contains options intended for the final destination, but after any other extension headers, if present. In tunnel mode, it appears as an extension header of the new IP datagram that encapsulates the original one being tunneled. This is shown in Figure 29-9.

IPv4 As with AH, the ESP Header field is placed after the normal IPv4 header. In transport mode, it appears after the IP header of the original datagram; in tunnel mode, it appears after the IP header of the new IP datagram that’s encapsulating the original one. You can see this in Figure 29-10.

Trailer Calculation and Placement

The ESP Trailer field is appended to the data that will be encrypted. ESP then performs the encryption. The payload (TCP/UDP message or encapsulated IP datagram) and the ESP trailer are both encrypted, but the ESP header is not. Note again that any other IP headers that appear between the ESP header and the payload are also encrypted. In IPv6, this can include a Destination Options extension header.

Normally, the Next Header field would appear in the ESP Header and would be used to link the ESP Header to the header that comes after it. However, the Next Header field in ESP appears in the trailer and not the header, which makes the linking seem a bit strange in ESP. The method is basically the same as what’s used in AH and in IPv6 in general, with the Next Header and Protocol fields being used to tie everything together. However, in ESP the Next Header field appears after the encrypted data, and so it points back to one of the following: a Destination Options extension header (if present), a TCP/UDP header (in transport mode), or an IPv4/IPv6 header (in tunnel mode). This is also shown in Figures 29-9 and 29-10.

ESP Authentication Field Calculation and Placement

If the optional ESP authentication feature is being used, it is computed over the entire ESP datagram (except the Authentication Data field itself, of course). This includes the ESP header, payload, and trailer.

KEY CONCEPT The IPsec ESP protocol allows the contents of a datagram to be encrypted, which ensures that only the intended recipient is able to see the data. ESP is implemented using three components: an ESP Header that’s added to the front of a protected datagram, an ESP Trailerthat follows the protected data, and an optional ESP Authentication Data field that provides authentication services similar to those provided by AH.

Figure 29-9: IPv6 datagram format with IPsec ESP Here is the same example of an IPv6 datagram with two extension headers that you saw in Figure 29-6. When ESP is applied in transport mode, the ESP Header field is added to the existing datagram as in AH, and the ESP Trailer and ESP Authentication Data fields are placed at the end. In tunnel mode, the ESP Header and Trailer fields bracket the entire encapsulated IPv6 datagram. Note the encryption and authentication coverage in each case, and also how the Next Header field points back into the datagram since it appears in the ESP Trailer.

Figure 29-10: IPv4 datagram format with IPsec ESP Here is the same sample IPv4 datagram that you saw in Figure 29-7. When ESP processes this datagram in transport mode, the ESP Header field is placed between the IPv4 header and data, with the ESP Trailer and ESP Authentication Data fields following. In tunnel mode, the entire original IPv4 datagram is surrounded by these ESP components, rather than just the IPv4 data. Again, as in Figure 29-9, note the encryption and authentication coverage, and how the Next Header field points back to specify the identity of the encrypted data or datagram.

ESP Format

The format of the ESP sections and fields is described in Table 29-3 and illustrated in Figure 29-11. In both the figure and the table, I have shown the encryption and authentication coverage of the fields explicitly, to clarify how it all works.

Table 29-3: IPsec Encapsulating Security Payload (ESP) Format

Section	Field Name	Size (Bytes)	Description	Encryption Coverage	Authentication Coverage
ESP Header	SPI	4	A 32-bit value that is combined with the destination address and security protocol type to identify the SA that will be used for this datagram. (SAs are discussed earlier in this chapter.)
ESP Header	Sequence Number	4	A counter field initialized to zero when an SA is formed between two devices, and then incremented for each datagram that’s sent using that SA. This is used to provide protection against replay attacks.
Payload	Payload Data	Variable	The encrypted payload data, which consists of a higherlayer message or encapsulated IP datagram. It may also include support information such as an initialization vector that’s required by certain encryption methods.
ESP Trailer	Padding	Variable (0 to 255)	Additional padding bytes are included as needed for encryption or for alignment.
	Pad Length	1	The number of bytes in the preceding Padding field.
	Next Header	1	Contains the protocol number of the next header in the datagram. Used to chain together headers.
ESP Authentication Data		Variable	Contains the ICV resulting from the application of the optional ESP authentication algorithm.

Figure 29-11: IPsec ESP format Note that most of the fields and sections in this format are variable length. The exceptions are the SPI and Sequence Number fields, which are four bytes long, and the Pad Length and Next Header fields, which are one byte each.

The Padding field is used when encryption algorithms require it. Padding is also used to make sure that the ESP Trailer field ends on a 32-bit boundary. That is, the size of the ESP Header field plus the Payload field, plus the ESP Trailer field must be a multiple of 32 bits. The ESP Authentication Data field must also be a multiple of 32 bits.

IPsec Internet Key Exchange (IKE)

IPsec, like many secure networking protocol sets, is based on the concept of a shared secret. Two devices that want to send information securely encode and decode it using a piece of information that only the devices know. Anyone who isn’t in on the secret is able to intercept the information but is prevented either from reading it (if ESP is used to encrypt the payload) or from tampering with it undetected (if AH is used). Before either AH or ESP can be used, however, it is necessary for the two devices to exchange the secret that the security protocols themselves will use. The primary support protocol used for this purpose in IPsec is called Internet Key Exchange (IKE). IKE is defined in RFC 2409, and it is one of the more complicated of the IPsec protocols to comprehend. In fact, it is simply impossible to truly understand more than a real simplification of its operation without significant background in cryptography. I don’t have a background in cryptography, and I must assume that you, my reader, do not either. So rather than fill this topic with baffling acronyms and unexplained concepts, I will just provide a brief outline of IKE and how it is used.

IKE Overview

The purpose of IKE is to allow devices to exchange information that’s required for secure communication. As the title suggests, this includes cryptographic keys that are used for encoding authentication information and performing payload encryption. IKE works by allowing IPsec-capable devices to exchange SAs, which populate their SADs. These SADs are then used for the actual exchange of secured datagrams with the AH and ESP protocols.

IKE is considered a hybrid protocol because it combines (and supplements) the functions of three other protocols. The first of these is the Internet Security Association and Key Management Protocol (ISAKMP).This protocol provides a framework for exchanging encryption keys and security association information. It operates by allowing security associations to be negotiated through a series of phases.

ISAKMP is a generic protocol that supports many different key exchange methods. In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols:

OAKLEY Describes a specific mechanism for exchanging keys through the definition of various key exchange modes. Most of the IKE key exchange process is based on OAKLEY.

SKEME Describes a different key exchange mechanism than OAKLEY. IKE uses some features from SKEME, including its method of public key encryption and its fast rekeying feature.

IKE Operation

IKE doesn’t strictly implement either OAKLEY or SKEME but takes bits of each to form its own method of using ISAKMP. Clear as mud, I know. Because IKE functions within the framework of ISAKMP, its operation is based on the ISAKMP phased-negotiation process. There are two phases, as follows:

ISAKMP Phase 1 The first phase is a setup stage where two devices agree on how to exchange further information securely. This negotiation between the two units creates an SA for ISAKMP itself: an ISAKMP SA. This security association is then used for securely exchanging more detailed information in Phase 2.

ISAKMP Phase 2 In this phase, the ISAKMP SA established in Phase 1 is used to create SAs for other security protocols. Normally, this is where the parameters for the “real” SAs for the AH and ESP protocols would be negotiated.

An obvious question is why IKE bothers with this two-phased approach. Why not just negotiate the SA for AH or ESP in the first place? Well, even though the extra phase adds overhead, multiple Phase 2 negotiations can be conducted after one Phase 1, which amortizes the extra cost of the two-phase approach. It is also possible to use a simpler exchange method for Phase 2 once the ISAKMP SA has been established in Phase 1.

The ISAKMP SA negotiated during Phase 1 includes the negotiation of the following attributes used for subsequent negotiations:

An encryption algorithm, such as the Data Encryption Standard (DES)

A hash algorithm (MD5 or SHA, as used by AH or ESP)

An authentication method, such as authentication using previously shared keys A Diffie-Hellman group

NOTE Diffie and Hellman were two pioneers in the industry who invented public-key cryptography. In this method, instead of encrypting and decrypting with the same key, data is encrypted using a public key that anyone can know, and decrypted using a private key that is kept secret. A Diffie-Hellman group defines the attributes of how to perform this type of cryptography. Four predefined groups derived from OAKLEY are specified in IKE, and provision is allowed for defining new groups as well.

Note that even though SAs in general are unidirectional, the ISAKMP SA is established bidirectionally. Once Phase 1 is complete, either device can set up a subsequent SA for AH or ESP using the ISAKMP SA.

Network troubleshooting commands for Windows / Cisco Links

I P S E C U R I T Y ( I P S E C ) P R O T O C O L S

IPsec Overview, History, and Standards

Overview of IPsec Services and Functions

IPsec Standards

IPsec General Operation, Components, and Protocols

IPsec Architectures and Implementation Methods

Three different implementation architectures are defined for IPsec in RFC

Three different architectures are defined that describe methods for how to get IPsec into the TCP/IP protocol stack: integrated, bump in the stack, and bump in the wire.

Bump in the Stack (BITS) Architecture

Bump in the Wire (BITW) Architecture

IPsec Security Constructs

Admin

0 Response to "Network troubleshooting commands for Windows / Cisco Links"

Post a Comment