Flex VPN Reference

Only IKEv2Unified configScalableServer/ClientCA Server recommended Prereq 1 – CA Server/Client: Server: ip domain-name cisco.com crypto key generate rsa modulus 1024 ip http server crypto pki server CA crypto pki trustpoint CA issuer-name O=CISCO L=SanJose C=US grant auto sh crypto pki certificates Client: ip domain-name cisco.com crypto key generate rsa modulus Read more…

GetVPN Reference

Does not support IKEv2. Only IKE v1. Does not have an overlay routing protocol or tunnel. Encrypts data in the underlay itself. Since there’s no overlay tunnel you don’t need additional subnets created. Centralized policy management. Policies in one place and pushed to all clients. The Keyserver. Components:-GM (Group Member)-KS Read more…

Bypassing Google Fiber

Google doesn’t allow you to bridge their network box so you would have to double NAT and double port forward. Maybe some people are fine with that, but I hate it. Luckily, it’s really easy to bypass. Default: fiber_line –> fiber_to_ethernet_jack –> Google_Network_Box The Google Fiber network box powers the Read more…

Defeating MITM

There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and is the groundwork for all this.  It builds a database of bindings and specifies where Read more…

Zscaler

I’ve been comparing SSL decryption services and devices, and Zscaler is much more than that.  It’s an all-in-one Content Filtering, SSL decrypting, DLP, Bandwidth controlling(quota), IPS, Malware preventing(including sandbox) awesome cloud based solution. AND, It works with mobile devices even if they’re roaming! The solution consists of GRE tunnels out Read more…

PfSense RA

The pfSense page here does a good job of explaining what router advertisements are and some of the settings, but I had to play around to make it work. If you have a flat uncomplicated network at home, the defaults will probably work fine.  Clients would pull IPv6 + the default Read more…