Extract private key from Cisco private-config

This blog post discusses extracting a private key from Cisco IOS’s private-config file. I recently generated a keypair on an IOS router and had forgot to flag it as “exportable”, making it difficult to backup. As the key-pair was used for IPSec authentication it was an important key to backup.

The first step is to recover private-config from the device, which I’m not going to cover in this post. Opening the file in a text editor, locate the section that begins “crypto RSA-key-pair” and save the hexadecimal values to a text file, the section will look like this:

crypto RSA-key-pair MyKey 0 1440004978
308204BC 02010030 0D06092A 864886F7 0D010101 05000482 04A63082 04A20201
00028201 0100DE8D 63241465 57356A77 57FC2C3D BBDD8454 F25B6B1A DB487C6D
AA0C1157 F665AF18 08EFC785 C23D3185 06F3D51A 42C94F06 5A97756A C83693C6
...

When saving to a text file, omit the section beginning “crypto RSA-key-pair”, only the hexadecimal values are required.
Continue reading Extract private key from Cisco private-config

Getting started with DN42

A week or two ago I became aware of DN42, a private network run to teach people how to use BGP. DN42 users connect to each other using site-site VPNs and then use BGP to exchange routing information. As someone who learns best from hands-on activity I simply couldn’t resist.

This blog post will discuss getting connected to the DN42 network using a Cisco router, be it physical or in a virtualisation solution such as GNS3/VIRL. At a high level there are three main steps:

  1. Create a number of “objects” in order to allocate a network address that you advertise in BGP;
  2. Configure your router so it can access the internet;
  3. Locate a suitable network to establish a VPN with and then form a BGP adjacency;

I’ll try and cover off the various DN42 specifics, but do not plan on covering basic router configuration tasks.
Continue reading Getting started with DN42

Configure Cisco IOS DHCP to use vendor class IDs

The IOS DHCP server can be configured to provide different address information to clients based on information they provide via DHCP option 60.

DHCP Option 60 is the “vendor class identifier option” that allows the DHCP client to identify its type so that custom configuration can be applied.

Configuring the DHCP Client

For custom address configuration to be applied the client must specify option 60. This is configured with the “ip dhcp client class-id XXX” command, where XXX is an ASCII label to use. For example:

interface Vlan10
  description ** Corporate LAN - Management Address **
  ip dhcp client class-id CUSTOM_CLASS
  ip address dhcp
  end

Configuring the DHCP Server

To configure the IOS DHCP server you must specify a default class and then a class that will match against DHCP option 60. When matching against option 60 you must convert the ASCII string the client sends (e.g. “CUSTOM_CLASS”) to hexadecimal.

ip dhcp class DEFAULT
  remark IP addresses for devices not providing a class-id
!
ip dhcp class CUSTOM_CLASS
  remark IP addresses for devices providing "CUSTOM_CLASS"
  option 60 hex 435553544f4d5f434c415353

With the matching setup the DHCP pool configuration can be split into the custom class and a default:

ip dhcp pool LAN
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.254
  class CUSTOM_CLASS
    address range 192.168.0.210 192.168.0.220
  class DEFAULT
    address range 192.168.0.0 192.168.0.200

If this doesn’t work the following debug commands may be helpful in identifying the cause of the problem:

debug ip dhcp server class
debug ip dhcp server packet detail