23 May

Draytek to Cyberoam IPSec VPN How To

How To Establish a Dial Out IPSec VPN from a Draytek Vigor 2860VN+ {FW 3.8.2.2}
to Cyberoam CR50iNG {FW-10.6.2 MR-1}

Configuration was tested with these devices but should be applicable to many models in the ranges
We need a VPN, On Demand, Dial Out, Lan to Lan,  VPN for Remote Access to the Cyberoam Site
Draytek/Cyberoam  Tech Note

Cyberoam Technote

Draytek Technote

Found this Technote and was hopeful it would work
It doesn’t, it is somewhat dated, 8 years old
The Cyberoam interface is now quite different from that in the article
Did my best to create the same setup but struggled to get it to work.

The problem is with PFS. The note implies it should be disabled on the Cyberoam
There is no setting to do this in current models
It appears that PFS is permanently ENABLED
PFS MUST Be enabled on the Draytek else the VPN Fails

CYBEROAM CONFIG
VPN > Policy
General Settings
Name = Draytek
Allow Re-Keying = Enable
Key Neg = 3
Authentication Mode = Main Mode
One or both ends with Fixed IPs. Tested with one Fixed & One Variable ADSL
DynDNS setup on ADSL
Compression = Enabled

Phase 1
Encryption = AES128    Auth = SHA1
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended

DH Group = 2(DH1024)
Key Life = 3600
Dead Peer Detection (DPD)
Not need for Dial In on Demand VPN
Might be useful for Permanent Site to Site VPN

Phase 2
Encryption AES128    Auth SHA1

PFS(DH) group = Same as Phase1
The Mention of PFS suggests that PFS is Enabled
Confirmed by Test – Must Enable PFS on Draytek Advanced Security Tab
VPN Fails if PFS is NOT enabled

Keylife = 3600

VPN > IPSec Connection

Connection Profile
Name = Dial_In_On_Demand
Connection = Site to Site
Policy = Draytek
Action on VPN Restart = Respond Only
IE: Wait for Incoming Connection – Dial In from Draytek Router

Authentication = Preshared Key = A Good Secure Phrase

EndPoint Details – Local = Select WAN Port X (Public IP)
Remote = DynDNSName of Draytek Router
* will allow ANY IP to connect (Useful for setup & Testing
However it is probably a good idea specify the remote Gateway to prevent Hacking / Spoofing
Use IP Address or DNS Name for Fixed Public IPS
A DYNDNS name Works for a Variable IP Address

Local Network Details
Local Subnet – Local Lan Network Address EG 192.168.1.0/24
Local ID – Choose Select Local ID – Leave Blank

Remote Network Details
Allow Nat Traversal – not, if both ends have public IP
Remote LAN Network = Network Address of LAN behind Remote Draytek Router
EG 172.16.10.0/24
Remote ID – Choose Select Remote ID and leave blank

User Authentication – Default
Quick Mode Selectors – Default
Advanced – Default

DRAYTEK CONFIG

VPN > Remote Access Control > Enable IPSec
Lan to Lan > Profile
1.Common Settings
Name = Cyberoam-DialOut
Enable
Dial Out through Wan1 First (or as per the WAN Setup)
Call Direction – Dial Out
Idle Time out = 300 Sec  (Always On for Setup & Testing)

2. Dial Out Settings
IPSec Tunnel
VPN Server/Gateway/Host = IP or HostName of Cyberoam WAN Port
IKE Authentication
Pre-Shared Key = The SAME Good Secure Phrase
IPSec Security Method = High(ESP) (AES with Authentication)
Click Advanced
IKE Phase 1 = Main Mode
IKE Phase 1 Proposal = AES128_SHA1_G2
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended

IKE Phase 2 Proposal = AES128 SHA1 / MD5
IKE Phase 1 Key Lifetime = 3600
IKE Phase 2 Key Lifetime = 3600
Perfect Forward Secret = Enable
PFS is permanenetly enabled on Cyberoam
VPN will Fail if not enabled on Draytek
Local ID – Leave Blank

If these don’t work Try AUTO – Tries a whole bunch – See Note on Config Page

3. Dial In Settings
N/A

4. TCP/IP Network Settings
My Wan IP = Default = 0.0.0.0  (Only needed for ISDN, PPTP & L2TP)
Remote Gateway IP = Default = 0.0.0.0.  (Only needed for ISDN, PPTP & L2TP)
Remote Network IP = EG 192.168.1.0/24
Appears that Either the Lan Port IP or Network IP of the LAN behind the Cyberoam are acceptable

Local Network IP = EG 172.16.10.0/24        Private Network IP of Local Site

RIP  = Optional – set as desired
Subnet = Route  Most Site to SIte VPNs will be Routed

CONNECTION ATTEMPTS & LOGS
On the Draytek, Initiate the VPN  connection, & Monitor Diagnostics > SysLog > VPN

Good Log  Read Down

Dialing Node28 (Cyberoam-DialOut) : RRR.RRR.RRR.RRR
Initiating IKE Main Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
NAT-Traversal: Using RFC 3947, no NAT detected
IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
ISAKMP SA #5736 will be replaced after 2475 seconds
ISAKMP SA established with v. In/Out Index: 0/-28

Phase 1 SA Established

Start IKE Quick Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
Client L2L remote network setting is 192.168.0.0/24
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IPsec SA #5737 will be replaced after 2996 seconds
sent QI2, IPsec SA established with RRR.RRR.RRR.RRR. In/Out Index: 0/-28

Phase 2 SA Established

[L2L][UP][IPSec][@28:Cyberoam-DialOut]

Link UP  

IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xdf90e916
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x490a3747
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x819ee015
Receive client L2L remote network setting is LLL.LLL.LLL.LLL
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc08264d5
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xa61eef62
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x102cbb83
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8739c98c
NAT GRE session 47501 time out, las time = 341208950 …
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x4ccc0d2e
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x42c9e8d1
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x977463db
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x1563065c
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9b684603
Receive client L2L remote network setting is LLL.LLL.LLL.LLL

13 Aug

Nesting Selectors with Retrospect Backup

Nesting Selectors with Retrospect Backup

Retrospect selectors offer a surprisingly  powerful method to precisely control what does, or does not get backed up. However creating complex selectors can be a bit mind bending.

This article discusses nesting selectors within each other to create a flexible backup management toolset.

Ground Rules

  • Retrospect Selectors have sections to INCLUDE and EXCLUDE specified items
  • EXCLUDES always take priority over INCLUDES
  • You can use another selector in a selector item definition.

However, doing this presents some subtleties.

How it works

Some experimentation suggest that it works like this:-

Selectors intended for inclusion in other selectors should only specify INCLUDES OR EXCLUDES but not both {it gets too mind bending otherwise}

THUS:-

Selectors specified in the EXCLUDE section of the parent MUST specify the files to be INCLUDED {in the exclude}.
Similarly
Selectors specified in the INCLUDE section of the parent MUST specify the files to be INCLUDED {in the include}

This behaviour CAN be reversed by using the IS NOT operator when specifying the Child Selector but this starts to get too mind bending

Put another way if you include a selector which says EXCLUDE something, in an EXCLUDE section then those items will be EXCLUDED from the EXCLUDE, and will be INCLUDED in the backup.

THUS it appears one can apply traditional mathematical sign rules to nesting Selectors
INCLUDE + INCLUDE = INCLUDE
EXCLUDE + INCLUDE = EXCLUDE
INCLUDE + EXCLUDE = EXCLUDE
EXCLUDE + EXCLUDE = INCLUDE !!!!

It pays to use the TEST facility. While EDITING a selector hit the BLUE TICK button and select a suitable volume or subvolume to try out your rule.

An approach to using Nested Selectors

So in sites with more complex Selector Requirements I use the following approach.

Create Selectors Named for the types of files, and ONLY specify items in the INCLUDE section
EG:-  5-Xco-Temp;    include tmp Temp etc etc
EG:-  5-Xco-Music;    include *.mp3, m:\Artists etc etc.

Then create a selector named for the Script or Function it refers to EG: 1- Xco-Servers. This Selector will only ever reference other selectors.
EG add EG 5-Xco-Server Temp to the EXCLUDE Section,  and add EG 5-Xco-Music to the INCLUDE Section

You can then create many selectors for various files, types etc, and simply add them to your Script Selectors.
Using a good naming convention results in a very readable list of Selectors which indicates quite intuitively what they are doing.
Preceding ALL your custom selectors with a standard character or two ensures they are grouped together in the list and not confused with the standard Retro Selectors. (I use “Digit-Company or Site abbreviation-Description” which allows me to order & group logically.
I have found it best to NOT change the default selectors, rather Duplicate and Rename them, thus you always have the originals to refer to as examples and use as templates.

21 Jul

Never under-estimate the bandwidth of a car load of tape

The original saying was ” Never under-estimate the bandwidth of a station-wagon full of tapes hurtling down the highway” and is attributed to legendary professor of computer science Andrew Tanenbaum. ( Computer Networks, 4th ed., p. 91)

https://en.wikipedia.org/wiki/Andrew_Tanenbaum

Back then tape capacities were measured in MegaBytes.  With the latest LTO technologies, never was this more true than in today’s world of big data.

You need to shift a load of data offsite to your Disaster Recovery site.

A box of 50 LTO 6 Tapes in your car for a 30 mile trip which takes 1 Hour

(includes loading time and travel in that city congestion!)

50 x 3TB = 150 TeraBytes per hour

That’s 150,000 GigaBytes in 3600 seconds = 40GBytes/S = ~330Gbits/S

You’ll have to go a long way, and with deep pockets to find that kind of WAN bandwidth!

 

20 Jul

EV – Recreate Archive Points with FSAUtility

Symantec Enterprise Vault

File System Archiving

EV Tip: Recreate Archive Points with FSAUtility

I recently had a run-in with FSAUtility trying to recreate an Archive point which got duplicated.
I got confused over what was required for the UNC Path part of the command line.
Tech 64969,  states :-   “run the fsautility -a -s “UNCpathname” . . . .  OK so what is required for “UNCpathname”
I assumed “the path to the Archive Point” and checked in the manual for the syntax
The Utility manual states:-

FSAUtility -a -s UNC_path [-l log_level] [-r]
Where:
■ -s UNC_path    specifies the path to the required folder, volume, or
file server.

Sounds reasonable, they want the path to the Archive point folder.
I then spent hours running this command line, and getting “invalid UNC path errors”  Researching UNC Path specs and syntax etc.
By chance I accidentally ran FSAUtility without any options and got the command help.
Studying this carefully I noticed that for the -a option it says :-

Parameters for -a (Recreate archive points only)
-s <UNC path>         UNC path name of target volume

Whereas for all the other options it says:-

-s <UNC path>         UNC path name of source folder, volume or file server
Which agrees with the manual

SO FINALLY:-

What is required for the UNC path for the -a option to recreate Archive Points is
the UNC Path to the VOLUME,   NOT the Archive Point Folder.
Running the command with the path to the volume worked fine, and duly re-created my Archive Point, and allowed archiving to run once more.
I later discovered that EV FSA really operates at the VOLUME level.

When the FSA task runs it always scans the entire volume, and acts upon each archive point as it discovers them in the folder tree. In light of this it now seems reasonable that you would specify the Volume to FSA Utility when recreating Archive Points.
What was confusing, was the documentation which implied you can specify File Server, Volume, or Folder, which is true for all options EXCEPT for the -a option to recreate Archive Points.

We live and learn!

References:-

Symantec EV Technote Tech64969
EV Utility guide (9x & 10x) CH18-FSAUtility > FSAUtility Options > Recreating Archive Points
FSAUtility command Help (just run fsautility.exe with no options)

Published by JoTrago on Symantec Connect Community

Symantec Connect Community forum

 

20 Jul

Backup & Archiving – the difference

So what is the difference between Backup & Archiving? Don’t they both store your data for safe-keeping?

Well, yes but there are key differences  in how the data is collected, and these days, more importantly a clear distinction in the purpose for which the data is collected.

The How

Two words – Copy & Move

Backup takes a COPY of your data for safe-keeping.
Archiving MOVES your data to safe-keeping

From this simple difference flows the purposes for which each is used.

The Why

Backup for Disaster Recovery

Back in the day you could backup your entire data environment within your regular backup plan, and backup tended to serve both as disaster recovery and long term retention.

Today you run into all sorts of problems with this approach :-

  • You don’t have enough secondary or backup storage
  • It takes too long
  • It is difficult to search and retrieve
  • It is too expensive
  • It is too difficult to manage

The only real approach to addressing these issues is to reduce the amount of data you backup. Since you still have to protect all your data to some extent or another you must, therefore, classify the data in some way.

A small percentage of the data is the hot, dynamic, growing data which is actively being created, modified, and worked with.

This is the data that needs to be backed up.

Archiving for Retention

A large percentage of data is historical,  more static, and less frequently accessed. Reference material, completed projects, knowledge repositories, old data and the like.

This is data that can (should) be archived.

20 Jul

Welcome to JoTraGo Data Protection

Welcome to the JoTraGo content pages

We plan to use this section for articles, howtos, and information relating to data protection and the products JoTrago supports.  Since the content will be more subject related than a time line, we have included tools to access this information more readily.

Make use of the Categories and Tags on the right to find content relevant to your needs

You are welcome to comment on our posts, please provide a valid email address.