When faced with the need to create 50 new users in a brand, spanking new Windows 2008 R2 Active Directory Domain, our heroine did what most hero(ines) would do ... search for a command line tool to help her out.
So I searched, and first found "ldifde" which was, essentially a giant pain in the petunia, to quote a Disney fairy.
Then I found DSADD! Oh how I love you DSADD! For those script minded folks, you can do cool things with VB scripts and excel imports using dsadd, but I was happy to copy and paste.
Here's a string that worked, btw, with identifying names and domains changed to protect the innocent and private.
dsadd user "cn=Julie Smith,ou=ABUsers,dc=mydomain,dc=local" -fn Julie -ln Smith -display "Julie Smith" -disabled no -pwd Something123 -mustchpwd yes -tel 212.555.1111 -samid ud -email julie@mydomain.com -upn julie@mydomain.local
One gotcha, that got me good. I had users in an Excel table, that I added columns and text around to create the format above, then copy/paste into Word to search out extra tabs, spaces and the like. Word got all smarty-pants on me and switched out the plain-text double quote (") with Smartie-pants quotes that wrapped around. DSAdd complained and whined about these and refused to play nice.
dsadd failed: ... :A referral was returned from the server.
This also happens if you're trying to add a user to a OU or DC that doesn't exist, btw.
p.s. with love from Microsoft
Thursday, June 30, 2011
Saturday, June 18, 2011
Cisco ASA IOS 8.4 and the art of a native Windows 7 L2TP/IPSec VPN
It was a day full of IP wrangling, the day I got this to work. A sine curve kind of day full of frustrations and eventually joy. Perhaps this will save someone else a bit of agony ...
Here's a config that works on ASA software version 8.4(1) with the mind twisting new NAT syntax. The config is for IPSec clients which are Linux (using vpnc - tip of the keyboard to AI for that info), Mac OSX, and Cisco VPN Client, and also for L2TP/IPSec. Confirmed working on Windows 7, Vista, and XP Pro.
Identifying info like IP addresses, valid domain names, and the like have been scrubbed to create anonymity.
Caveat emptor, when using ADSM rather than the command line, it has a way of mucking with VPN tunnel configurations. Consider yourself warned!
Configuration required for IPSec VPN, used by Cisco VPN Client and Mac OSX, iPad, and iPhone colored orange.
Configuration required for L2TP/IPSec VPN, used by Windows XP, Vista, and 7 native clients, colored aqua.
Configuration required by both IPSec and L2TP/IPSec is in white.
…
interface Ethernet0/2
nameif Outside-ISP1
security-level 0
ip address X.X.15.2 255.255.255.248
!
interface Ethernet0/3
nameif Outside-ISP2
security-level 0
ip address Y.Y.18.86 255.255.255.248
…
object network NAT_VPN
subnet 10.1.1.0 255.255.255.0
…
access-list VPN_ROUTES standard permit 10.1.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.2.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.4.0.0 255.255.0.0
…
! separate pools are not needed, but it's easier to identify, you can definitely create only one
ip local pool VPN_POOL 10.1.1.11-10.1.1.40 mask 255.255.255.0
ip local pool L2TP_POOL 10.1.1.41-10.1.1.150 mask 255.255.255.0
…
! this next line is needed because the Windows client doesn't obey the split tunneling nicely, if you have multiple inside subnets, but this does mean if the VPN is connected, all traffic will go through the ASA and back out.
nat (Outside-ISP1,Outside-ISP1) source dynamic NAT_VPN interface
nat (Inside,Outside-ISP1) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP1) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
nat (Inside,Outside-ISP2) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP2) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! For IPsec only, do NOT specify “mode transport”
crypto dynamic-map DynMap 1 set ikev1 transform-set ESP-3DES-SHA_trans ESP-3DES-SHA
crypto map MapVPN 100 ipsec-isakmp dynamic DynMap
crypto map MapVPN interface Outside-ISP1
crypto map MapVPN interface Outside-ISP2
crypto isakmp nat-traversal 60
crypto ikev1 enable Outside-ISP1
crypto ikev1 enable Outside-ISP2
! can probably delete policy 10 or 65535, test and report back
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
…
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value 10.2.1.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
group-policy VPNPolicyIpsec internal
group-policy VPNPolicyIpsec attributes
dns-server value 10.2.1.32 Public_DNS_Server_IP
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
…
! when creating new users, specify the encryption type as mschap, not as nt-encrypted so that when the account is created, the password will be converted to unicode and hashed in MD4.
username user1 password **** nt-encrypted
username user2 password **** nt-encrypted
…
! L2TP for Windows uses the DefaultRAGroup, it won't use a specific tunnel group
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authorization-server-group LOCAL
default-group-policy VPNPolicy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group VPNGroupIpsec type remote-access
tunnel-group VPNGroupIpsec general-attributes
address-pool VPN_POOL
default-group-policy VPNPolicyIpsec
tunnel-group VPNGroupIpsec ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
If you want specifics on the client side setup, let me know.
Here's a config that works on ASA software version 8.4(1) with the mind twisting new NAT syntax. The config is for IPSec clients which are Linux (using vpnc - tip of the keyboard to AI for that info), Mac OSX, and Cisco VPN Client, and also for L2TP/IPSec. Confirmed working on Windows 7, Vista, and XP Pro.
Identifying info like IP addresses, valid domain names, and the like have been scrubbed to create anonymity.
Caveat emptor, when using ADSM rather than the command line, it has a way of mucking with VPN tunnel configurations. Consider yourself warned!
Configuration required for IPSec VPN, used by Cisco VPN Client and Mac OSX, iPad, and iPhone colored orange.
Configuration required for L2TP/IPSec VPN, used by Windows XP, Vista, and 7 native clients, colored aqua.
Configuration required by both IPSec and L2TP/IPSec is in white.
…
interface Ethernet0/2
nameif Outside-ISP1
security-level 0
ip address X.X.15.2 255.255.255.248
!
interface Ethernet0/3
nameif Outside-ISP2
security-level 0
ip address Y.Y.18.86 255.255.255.248
…
object network NAT_VPN
subnet 10.1.1.0 255.255.255.0
…
access-list VPN_ROUTES standard permit 10.1.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.2.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.4.0.0 255.255.0.0
…
! separate pools are not needed, but it's easier to identify, you can definitely create only one
ip local pool VPN_POOL 10.1.1.11-10.1.1.40 mask 255.255.255.0
ip local pool L2TP_POOL 10.1.1.41-10.1.1.150 mask 255.255.255.0
…
! this next line is needed because the Windows client doesn't obey the split tunneling nicely, if you have multiple inside subnets, but this does mean if the VPN is connected, all traffic will go through the ASA and back out.
nat (Outside-ISP1,Outside-ISP1) source dynamic NAT_VPN interface
nat (Inside,Outside-ISP1) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP1) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
nat (Inside,Outside-ISP2) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP2) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! For IPsec only, do NOT specify “mode transport”
crypto dynamic-map DynMap 1 set ikev1 transform-set ESP-3DES-SHA_trans ESP-3DES-SHA
crypto map MapVPN 100 ipsec-isakmp dynamic DynMap
crypto map MapVPN interface Outside-ISP1
crypto map MapVPN interface Outside-ISP2
crypto isakmp nat-traversal 60
crypto ikev1 enable Outside-ISP1
crypto ikev1 enable Outside-ISP2
! can probably delete policy 10 or 65535, test and report back
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
…
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value 10.2.1.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
group-policy VPNPolicyIpsec internal
group-policy VPNPolicyIpsec attributes
dns-server value 10.2.1.32 Public_DNS_Server_IP
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
…
! when creating new users, specify the encryption type as mschap, not as nt-encrypted so that when the account is created, the password will be converted to unicode and hashed in MD4.
username user1 password **** nt-encrypted
username user2 password **** nt-encrypted
…
! L2TP for Windows uses the DefaultRAGroup, it won't use a specific tunnel group
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authorization-server-group LOCAL
default-group-policy VPNPolicy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group VPNGroupIpsec type remote-access
tunnel-group VPNGroupIpsec general-attributes
address-pool VPN_POOL
default-group-policy VPNPolicyIpsec
tunnel-group VPNGroupIpsec ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
If you want specifics on the client side setup, let me know.
Subscribe to:
Posts (Atom)