Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
(S) For the case of VPN Link, the VPN tunnel is used to provide a path from the Sponsor
Network to the Target behind the Flytrap (i.e., on the Flytrap’s LAN/WLAN side).
Typically this would not be possible because the Flytrap’s WAN would likely have a
non-routable IP address. A VPN Link can be established in a number of ways:
• The Flytrap executes a Mission with a VPN Link Global Action
• The Flytrap executes a Mission with a VPN Proxy All Global Action
• The Flytrap detects a Target with a VPN Link Action
• The Flytrap detects a Target with a VPN Proxy Action
On the CherryWeb “View->Flytraps” page, the “VPN Link” column shows the status of
the VPN Link for each Flytrap (see 9.8 for status codes).
(S) If a Flytrap has a VPN Link with status “Up”, then an Icon Terminal (connected to
the proper Cisco VPN “profile”) can be used to gain access to the Flytrap and any clients
on the Flytrap’s LAN/WLAN. The blue arrows in Figure 3 show the path from the Icon
Terminal to the CB-VPN, which can then reach the Flytrap and LAN/WLAN clients
through the VPN tunnel. To gain access to the VPN Link tunnel, establish a “VPN Link
Terminal” as follows:
(S) Note: the “CB VPN ASA” Cisco VPN profile has been removed due to sponsor
concerns related to linking two sponsor networks via a VPN tunnel. As such, in order to
establish a “VPN Link Terminal”, a server on the CB VPN Server’s subnet must be used
to route to the CB VPN Server and access the tunnel. The following technique uses the
CB CC slave server as the server that routes to the CB VPN Server and from which the
VPN Link tunnel can be established:
• Establish a CB Server “root” Console/Terminal to the master CB CC slave
server (i.e., the slave Cherry Tree server) – see the CB Installation Guide for
instructions and server IP addresses (at time of writing [30 December 2010] the
CB CC slave server IP address was 172.24.5.18). This step requires an Icon
terminal.
• Add a route to the CB VPN Server – from the “root” console, execute:
route add –net 10.128.0.0/9 gateway <CB_VPN_SERVER_IP>
where <CB_VPN_SERVER_IP> is the IP address of the CB VPN Server (see the
CB Installation Guide – at time of writing [30 December 2010] the CB VPN
server IP address was 172.24.5.21).
(S) To reach the Flytrap over the VPN Link tunnel (from the “VPN Link Terminal”), the
Flytrap’s “VPN IP Address” must be used. CherryWeb displays the VPN IP Address on
the “Flytrap Details” page (i.e., clicking any CherryWeb link with the name of the
Flytrap will take the user to the “Flytrap Details” page). For example, say the Flytrap’s
VPN IP Address is 10.129.12.34. Issuing “ping 10.129.12.34” from the “VPN Link
Terminal” will ping the Flytrap over the VPN Link tunnel.
104
SECRET//20350112