Posts from ‘Networking’

Jan
25

Cisco-887VA-WThis is going to be a quick guide on how to setup VPN access on your Cisco router (in my case a Cisco 887 router with VDSL) for remote clients to access into your network and get access to the local resources. There’s a few different ways of doing this however we’re going to use IPSec, mainly because it’s more secure than the alternatives and doesn’t require any third party clients to get it working most of the time.

The guide will assume you’ve already got your LAN (VLAN1) and WAN (PPPoE/A on Dialer1) setup and working, also it assumes you have some Cisco knowledge to actually get the commands applied in the right places as I wont be covering the basics.

So the first part is to enable authentication on the router so that we can create users and have the VPN authenticate against these, you could also use an external radius server however if you’ve only got a few users this is going to be simpler to manage

aaa new-model
aaa session-id common

aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local 

username vpn_username password 0 vpn_password

Next we need to create an IP pool that we’ll use to give the VPN clients unique IP addresses that appear to be on the LAN (VLAN1), the second step is to ensure that we don’t hand out these same IP’s as part of the normal DHCP process.

ip local pool vpn_client_pool 192.168.0.100 192.168.0.109
ip dhcp excluded-address 192.168.0.100 192.168.0.109

Now normally when a client to connects to our VPN we want it to send all traffic to us for the LAN, there’s usually no point in sending internet or DNS traffic to us if they already have an internet connection, we do that with an access list.

Basically the below is saying ‘any’ of the clients have access to ‘192.168.0.0/24’, you should be able to modify to your specific requirements.

ip access-list extended vpn_resources
 permit ip 192.168.0.0 0.0.0.255 any
!

IPsec uses two different phases for user authentication and traffic encryption, therefore we need to create two different policies. There are more secure settings than what I’m using in the policy below, however you’re realistically going to have more compatibility problems as you tune up these, and the below are still very secure for most installs.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!

Now we need to define the group, the group name and group key that you pick here will need to be also entered on all of the clients that are using the VPN (laptops/iphones etc…), so you want to pick something secure but something that you also don’t mind disclosing to people with VPN access.

In the below configuration my group is ‘oracle’ and we’re using a shared password of ‘qwerty’, you should also notice this is where we’re referencing the ip address pool that these clients will be given, and the access list that defines where they’re allowed to go within our network ‘vpn_resources’

(If you want to redirect the client’s DNS queries you could also do that here with the ‘dns’ setting, however theres usually not much point in that unless you have some kind of intranet.)

crypto isakmp client configuration group oracle
 key qwerty
 pool vpn_client_pool
 acl vpn_resources
 max-users 10
!
cisco-vpn-client-13

OSX Cisco VPN Client

So the above configuration was mostly for Phase 1 (ISAKMP) of the tunnel, really this is concerned with securely authenticating the users and defining how were going to configure them on the network once they’re connected.

Naturally that brings us onto Phase 2 (IPSec), which is how the already authenticated users are going to securely encrypt there traffic between the router and client. First we’ll setup a transform set and bind that to an IPSec profile

crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac 
!
crypto ipsec profile vpn_profile
 set transform-set vpn_transform
!

Now we need somewhere on the router that clients can actually bind there internal IP to, for example the ip route and ARP table on the router needs to know where to send that traffic, this is a ‘virtual-template’. The configuration is simply saying our virtual-template2 is part of the IPSec profile we just created and is on the VLAN1 internal network.

interface Virtual-Template2 type tunnel
 ip unnumbered Vlan1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn_profile
!

Now the last part should be to glue our VPN group, how we want to authenticate users and virtual template configuration together using the ISAKMP profile.

crypto isakmp profile vpn_ike_profile
   match identity group oracle
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
iPhone Example Confiig

iPhone Example Confiig

The final step is to go over to one of your clients and actually try the VPN connection, below are the five bits of information that these clients will require a minimum, most will dynamically pick up the rest of the required information.

Clients like an iPhone (shown at the right) have a built in client, however if yours doesn’t go over to the cisco website and download the ‘Cisco VPN Client’, it’s currently available for most operating systems like Windows, Linux, OSX and Solaris.

  • Public IP or DNS Name – vDSL Dialer1 Public IP
  • Group Name – oracle
  • Group Pass – qwerty
  • User – vpn_username
  • Pass – vpn_password

 

Sep
27

show-kronI’ve recently been setting up a new customer network and they had some fairly strange requirements, where most of our customers are fairly adverse to any kind of downtime this customer required a weekly reboot of their equipment out of hours, even on the Core networking equipment.

For the Cisco routers this was fairly easy to setup, first you need to create a kron (basically like a Linux Cron) job, this just defines what you want to do, the when is configured later on.

So we’re going to create a policy called ‘reloadrouter’ and it’s going to run the ‘cli’ based command ‘reload’, nice and simple:

Auto Reload/Reboot

kron policy-list reloadrouter
 cli reload
!

Now that we have a policy we need to set this to run, basically we define an occurrence for the policy, then a time and how often we want this to reoccur in the future.

kron occurrence reloadrouter at 4:00 recurring
 policy-list reloadrouter
!

You can do a load of other cool things with kron for example here are some other policies.

Auto Save Config

Forgetting to save the configuration, save an embarrassing reload!

kron policy-list daily-save-config
 cli write
!
kron occurrence daily-save-config at 4:00 recurring
 policy-list daily-save-config
!

Remove debug

People keep leaving debug running on the routers, auto turn it off!

kron policy-list daily-un-debug
 cli undeb all
!
kron occurrence daily-un-debug at 1:00 recurring
 policy-list daily-un-debug
!

TFTP Backup

Want to do a quick backup of the startup configuration to a TFTP server?

kron policy-list config-backup
cli show startup-config | redirect tftp://10.1.1.1/bkup.cfg
!
kron occurrence config-backup at 1:00 recurring
 policy-list config-backup
!

One thing; please don’t forget the command is only as good as your time keeping, so NTP is always wise with this kind of automation 🙂

Sep
27

Cisco-887VA-WAfter spending quite a bit of time getting my Cisco VDSL router working with PPPoE I though others might benefit from an example configuration, please read through and tune the configuration to match your requirements.

Basically this will setup the vDSL connection and obtain an IP address from your ISP using PPPoE CHAP authentication, the 192.168.0.0/24 range will be used on the inside network and DHCP will handout IP’s within the range 192.168.0.6-99/24, the router will take the address 192.168.0.1 and perform PAT based NAT on any outbound traffic.

 

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname HOME-GW-1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
enable secret {PASSWORD-GOES-HERE}
enable password {PASSWORD-GOES-HERE}
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.0.0 192.168.0.5
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool 10
 import all
 network 192.168.0.0 255.255.255.0
 ! Change to your ISP DNS
 dns-server 8.8.8.8 4.2.2.2 
 default-router 192.168.0.1 
!
!
ip cef
! Change to your ISP DNS
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip inspect WAAS flush-timeout 10
ipv6 cef
!
!
!
archive
 log config
  logging enable
  logging size 500
  hidekeys
username {username} secret {password}
!
!
!
!
controller VDSL 0
 operating mode vdsl2
 modem customUKAnnexM
 modem customUKAnnexA
 modem UKfeature
!
ip ssh version 2
! 
!
!
!
!
!
bba-group pppoe global
!
!
interface Ethernet0
 no ip address
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 description Link-to-Dist-Switch
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Dialer1
 description vDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 no ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname {ISP-USERNAME-HERE}
 ppp chap password 0 {ISP-PASSWORD-HERE}
 ppp pap sent-username {ISP-USERNAME-HERE} password 0 {ISP-PASSWORD-HERE}
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 remark nat-pool
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 remark vty
access-list 23 deny   any log
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
ipv6 access-list ipv6_deny
 deny ipv6 any any
!
ipv6 access-list V6-FILTER
 permit icmp any any
 deny ipv6 any any log
banner login ^CC
THIS IS A PRIVATE SYSTEM. UNAUTHORISED ACCESS IS NOT
PERMITTED AND OFFENDERS ARE LIABLE TO PROSECUTION.

YOUR IP HAS BEEN LOGGED AND AN ALERT GENERATED
^C
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 access-class 23 in
 ipv6 access-class ipv6_deny in
 transport input telnet
 escape-character 3
!
scheduler max-task-time 5000
ntp server {YOUR-NTP-Server}
end
Aug
27

yum-via-proxy-yum-package-management-mascotIntroduction.

TL,DR; – Go to Installing Squid

Yum is a great package manager for CentOS that is the secret envy of every Windows system administrator on the planet, however there will come a time when you attempt a “yum update” or “yum install tcpdump” to find out there is a problem with internet access from your server.

90% of the time you’ll probably find a network issue or someones messed up the DNS resolver configuration, however in some instances the server will legitimately have no internet access and setting up this access is either not allowed or high innocent.

Recently I worked on a server with two network connections, one to the management network and another to a VoIP signalling/media network, in this setup the default gateway was configured via the VoIP network as that’s the mission critical services, all the management elements had static routes via the management interface gateway. The problem was the VoIP network was internal and had no internet access available where as the management network did. Placing a static route for every possible Yum repository and mirror obviously isn’t an option and neither was switching around the network configuration, so here comes the Proxy.

The concept of a proxy is fairly simple, we’re going to tell Yum that all of it’s traffic should be sent to a specific IP address on a specific port, this IP address will be on a server with internet access and will have the Squid proxy installed and listening on that port for inbound connections. Assuming the access lists on the proxy are configured correctly this will then route that traffic to the internet and back on behalf of the originating server, therefore giving the illusion of internet access for Yum, simple!

 

Initialling Squid

So you need to find a server on your network that has IP connectivity to the internet and to your other server that doesn’t have internet access, this is where the proxy (Squid) will reside.

First step use Yum to install the Squid application on this server, and then ensure that it’s going to start at boot.

yum -y install squid
chkconfig squid on

Now you need to define which client IP addresses are permitted to use your proxy, in our case this range should include the IP of the client that doesn’t have internet access. So edit the squid configuration as below replacing the IP range as per your network.

nano /etc/squid/squid.conf
acl allowed_clients_acl src 192.168.0.0/24
http_access allow allowed_clients_acl

Now restart the Squid service to apply the configuration changes:

service squid restart

It’s always worth checking that Squid is actually running and listening on the correct network port using netstat

netstat -lnutp | grep 3128
tcp        0      0 0.0.0.0:3128                0.0.0.0:*                   LISTEN      20653/(squid)

Client/Yum configuration

So our Squid proxy server should be working now, the next step is to actually configure the clients to use this server. Simply in the users (in this case root) bash profile were going to specific an environment variable that yum will pick up on, so edit that profile text file:

nano /root/.bash_profile

Then just paste in this line, replacing the IP address with your Squid server (you can also use a hostname).

export http_proxy=http://192.168.204.251:3128

Bingo – Try some yum commands on the server and you should be in business!

Any problems leave a question in the comments 🙂

Mar
23

bwMeterCaseThe home and small business routers these days that us geeks would be interested in buying are shipping with SNMP server functionality built in as standard, and when their not there’s normally some way of breaking into the Busybox Linux distro (that most of them use) and installing some kind of SNMP daemon.

However there’s always cases where that options not available for some reason or another, in these cases you can use a setup like Kurt’s, where he decided to build a passive bandwidth monitor (even through the router in his pictures does support SNMP?!).

See a basic video of it in operation here:

The basic setup consists of a passive network tap; This is basically just a fancy way of saying that you’ve cut into the pairs of a Cat5e network cable and added in an extension of the pairs to your own device. The device that you add in should be doing nothing other than monitoring, so that it’s not transmitting any data on to the cable that would confuse the other two host which assume their are directly connected to each other with no other hosts on the network segment. The limitation of this setup is you need physical access to the cable, and due to the nature of high speed ethernet it would only work on 100Mbps connections or less.

The electronic brains behind the setup is a ENC624J600 chip to interface with the ethernet layer, chosen because of it’s raw ethernet functionality, this was connected up to an Atmega128 using the SPI interface which would run the core code to count packets and plot on the LED display.

To have a look at Kurt’s full write up on the project, head over to here.

Our Sponsors