Thursday, April 17, 2014

Gentoo Linux and 802.11ac

I have an Intel 7260ac PCI card that never seem to go all that fast under Linux.

The NetworkManager widget said it was on channel 149 and doing about 130Mb but in Windows it gets 650 to 780 Mb in ac mode.

Turns out the NM widget was lying it was on 2.4 (so not channel 149) and was capped about 130Mb. I tried forcing it to 5GHz but it just roamed back to 2.4.

Hmm.. found a simple solution block the MAC on the 2.4GHz radio. Now it connects at the same speed as Windows on 5GHz.  Simple really and not an issue if you have separate SSIDs.


Saturday, January 25, 2014

30 second guide to setting up an interface mode VPN on Cisco IOS

This is like one of those recipe book type 1 page cheat sheets. This relies on you knowing IOS well enough to just need a jog.

So to set up an interface mode (Virtual tunnel interface in Cisco speak) vpn you need these commands:

crypto isakmp policy
crypto isakmp key
crypto ipsec transform set
crypto ipsec profile

policy-map maybe
class class-default
shape average 128000

int tun
ip address maybe or ip unnumbered vlan1 to tie to vlan1
tun source outsideIP
tun destin otherend
tunnel mode ipsec ipv4
tunnel protection ipsec profile
service-policy maybe?

ip route tun0 perm?
or use Ip and dynamic routing rip v2?


If you're switching from proxy style VPN then remove the crypto map unless you still have dynamic client vpns and remove the IPSec policy for the connection.

The tunnel ones are just so much nicer.  No NAT hassles, easy policy QoS etc. 

Also help diag commands:

sh crypto session detail 

Thursday, January 16, 2014

Certificates on Windows, AD CA etc

This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.

This is ripped from another blog (thanks rrustean.blogspot.com)

snip

cretate a file called c:\cert.inf with the following content:

[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048


Now run the following:

certreq -new cert.inf outfile.req

Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.

snip

But that only goes half way.

To complete things for me loading a certificate into IIS I had to change the cert.inf file..

[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Exportable = TRUE

The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.

Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.

Sunday, November 17, 2013

Windows 8.1 update notes

Just some notes from my experience of Windows 8.1 upgrade.

1. It's slow to install.  Like I'm sure it took longer than the initial install of Windows 8!

2. Start button is a have.  Just goes to Metro.  It's Metro I'm not a fan of, which is odd given I spend most of my time in Gnome 3 and I use metro in the same way.  Press windows key and start typing. Metro is just to busy.

3. App problems.  I was going to say none but VMWare player had to be repaired as the networking bridging sopped worked. I showed the interface as down and the bridge interface list was empty.  After being repaired it was fine..

Tuesday, September 10, 2013

Cisco IOS certificate handling

This is primarily for sslvpn type stuff first off.

I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them.  All in all they rock.  Thanks startssl.com

Importing the cert so I can use it on the router.  Seems simple but there are some gotchas.

StartSSL give you a private key..

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D

yeahrightlikeimgoingtogiveyoumykey

-----END RSA PRIVATE KEY-----

and a public key

-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----


First gotcha all they guides i've seen are old and say

crypto ca import

Most new IOS use instead

crypto pki

Second big gotcha is the IOS doesn't do AES.  So see in the private key, 3rd line it has AES we need to convert that.

It's easy if you have a Mac or a Linux box.  With windows you need to install openssl.

Save your private key on your Desktop as oldkey.pem, open the terminal and type

openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3

Open the newkey.pem file and your public key and download the  CA certificate for your provider. They'll have a link in FAQs etc.

Log into the router, enable etc and go to config t.

To be continued


Friday, June 21, 2013

unix utils translation

I've been jumping back and forth between a few OSes lately and I keep typing the wrong thing at the prompts for day to day admin.  So I'm putting it here so I don't forget :-)

This is the commands for general update current packages, install new packages etc type stuff

Gentoo Linux:

update: emerge --sync && emerge -DuN --keep-going world
install:  emerge --sync && emerge packagename
search:  emerge --sync && emerge -s name
or emerge --sync && emerge --searchdesc

FreeBSD (9.1 if it makes a difference)

packages (pre-compiled)

update: freebsd-update --

and for ports (from source)

update: portsnap fetch update && portupgrade -a
install: cd /usr/ports/catagory/package && make WITH_LDAP="YES" install clean


Centos 6.3

update: yum check-update && yum update
install: yum install packagename
search: yum search 

More to come..

Control break on an RDP session from a Mac keyboard

Found this by accident.  I was trying to do a control break to show ping statistics.

If you do control F13 F14 quickly it does a control break.  Control F13 by self didn't but if you keep control down and do F14 as well it shows me the ping stats and carries on as you'd expect. I did get it to work once with just a few control F13s but couldn't confirm that one.

Hope that save some time for someone..