A CCIE Security engineer walks into a bar, things get weird

This might get a bit weird, and you can blame me for watching too much of The Mighty Boosh, but bear with it.

Picture the scene.

You walk into a bar, with a friend who you refer to as “silly knickers”.

At the first table, you point to your friend, and can see a pissed-up architect, trying to draw whilst wearing cashmere mittens. What an idiot.

You look at the second table, and point to your friend again, as there are two pissed-up architects, both trying to draw whilst wearing cashmere mittens. Idiots,

Getting a drink is Easy. You politely point at the bar and grab an alcoholic apple juice. Then you head to the bathroom and pee in private. You fancy a vanilla tequila.

Back at the bar, the barman is also a fitness instructor. He’s flexing happily. Two authors walk in, they politely propose a policy of only drinking alcoholic apple juice, in order to keep bar profits set high. You prefer a vanilla tequila.

One of the authors is actually a client of the barman, so he does not point and laugh. Instead, he says he’d like the same, but instead of vanilla tequila, he’d like a cup of tea in two cups.

The authors get served.

The next to get served is a policeman with a key. He’s carrying Optimus Prime under one arm, and Bumblebee under the other. He has another key, which is huge, it’s a really strong key. He orders a cucumber and a lemonade and nods to the group.

As is a bar policy, anyone with a key gets to make the rules. Before you know it, everyone is wearing cashmere mittens. Idiots!

Ok, story time over. All good stories have meanings, so what’s this one all about (if you haven’t worked it out from the clues)? I am sure lots of readers are thinking.. WTF?

wtf
Well, this is to try and remember VPN setups.

I made the VPNs cheatsheet a week or two ago, and this is good for showing where things fit in with each other, but I was still forgetting the steps.

I tried mnemonics, but they just came out as unrelated words, so decided to turn it into a story, with enough information to remember all the steps.

Let’s break it down.

The first table is IKEv1.

I = ISAMKP
Point = Policy
To = Transform
Silly = Set
Knickers = Keyring
If = ISAMKP
Pissed = Profile
Architect = ACL
Cashmere = Crypto
Mittens = MAP
Idiot = Interface

Table 2 is IKEv2

I = ISAMKP
Point = Policy
To = Transform
Silly = Set
Knickers = Keyring
If = ISAMKP
2
Pissed = Profile
Architect = ACL
Cashmere = Crypto
Mittens = MAP
Idiots = Interface

A little harder, but the 2 signifies IKEv2 commands, and we need four of them (proposal, policy, keyring and profile). Each starts with “crypto ikev2”, so we can use the context-sensitive help.

Easy VPN is next (its EASY to get served…)

I = ISAKMP
Politely = Policy
Point = Pool
Grab = Group
An Alcoholic Apple (juice) = AAA 
I = ISAKMP
Pee = Profile
In = IPSec 
Private = Profile
Vanilla = Virtual
Tequila = Template

I have left the client-side out, as that’s pretty easy (create the “crypto ipsec client ez group”, and assign the outside and inside interfaces)

Then comes FlexVPN Server (our flexing barman)

Point = Pool
And = Access
Laugh = List
2 Authors = IKEv2 Authorization
Politely = Policy
Propose = Proposal
Policy = Policy
Alcoholic Apple = AAA
2 Keep = Ikev2 Keyring
Profiles = IKEv2 Profile
Set = Transform Set
I = IPSec 
Prefer = Profile
Vanilla = Virtual
Tequila = Template

A server is no good without a client And this is much the same. Here the author wants the same as the server, without the pointing and laughing, but he does not want the vanilla tequila (virtual template), and orders:

Tea = Tunnel
In = Interface
2 = IKEv2
Cups = Client

The policeman is getting served next, which brings us onto GETVPN.

Is A = ISAMKP
Policeman = Policy
Key = ISAKMP key
Transformers = Transform Set
Really Strong Key = RSA key
A Cucumber and Lemonade = ACL
(nods to the) Group = GDOI Group

I have left out the IPSec profile from the server. I could not think of anything to fit, and the IOS will actually complain (I think) if this is missing, so it should be easy to figure out the missing bit(s).

Finally, we have the GETVPN client:

(As) Is A = ISAKMP
(bar) policy = Policy
Key = ISAKMP Key
Group = GDOI group
Cashmere = Crypto
Mittens = Map
Idiots = Interface

Trying to keep things like crypto map (cashmere mittens), interface (idiot/s) and virtual template (vanilla tequila) the same across the story, as it makes it (slightly) easier to remember. It’s a weird story, but with enough repetition, and picturing yourself in the bar, it should aid memory.

2 Comments

  1. Anonymous August 17, 2016
  2. Jane Ngigi August 17, 2016