We had to set one of these up today and it was a bit odd.
The easiest way is to say what settings worked :-)
Stick with SHA and 3DES. Group2 for DH, supposedly 14 will work but it didn't for us.
Use proxies, this was our final stumbling block. ISA wanted proxies in phase 2 or came up with INVALID-ID-INFORMATION in the Fortigate debugs.
Otherwise it's defaults for times, DPD etc.
Edit later:
ISA summarises multiple networks rather than creating a second phase 2. dumb..
ie we had 10.0.1.0/24 at the remote site and 10.0.2.0/24 at the head office end. They want to add 10.0.3.0/24 so debugging (you can't set this or see it in ISA by the looks of it) the HO end proxy goes from 10.0.2.0/24 to 10.0.0.0/16. So what happens when you add a second network to the remote office end?
Wednesday, 12 November 2014
Sunday, 24 August 2014
My first raspberry Pi and dabble into crypto currency ASICs
This will be a combination of a few things.
I bought my first Pi to play with. It now does mail for our home domain, DNS and a nice gui for the dabble into crypto currency.
I bought a nice combo that had a B+ board, power supply, case, heatsinks and on top of that a wireless dongle as I want it to run in the garage which has no cabling.
Unpacked it and put it in it's case and put the heatsinks on. Easy. Plugged into the TV and booted NOOBs. Told it to install raspian and it was away. All nice and easy.
Raspian boots up with LXDE but you can, in theory, install just about anything. Set up the wifi network and a few test reboots all looked good. I played with overclocking but it just made it less stable. We'll revisit that one.
Things to do on a new RPi I now know: firmware update (sudo rpi-update) and full dist upgrade(sudo apt-get dist-upgrade) of raspian. Both seemed to help stability as I had some USB issues to start with. Go through the raspi-config settings carefully and go to advanced update rapi-config before anything else. I've dropped the GPU memory to 16MB as it'll barely ever use the display. I had to turn off overscan as well to see the whole desktop. Seems odd that's on by default.
I have a mail server running postfix, dovecot and roundcube. All these just installed on the RPi and worked. Copied the config files from the old server and merged them. Copy certs from the old server to RPi.
The next step was to test a Gridseed (scrypt hasher) and it picked it up fine. Install a system named minera (http://getminera.com) which can be a full SD image or install on a running system.
The surprising thing is the RPi just keeps taking this. It seems to have more than enough grunt to handle all this. It didn't do so well when I tried a minecraft server as well. Might need another one for that :-)
So it sits in the garage with 6 gridseeds hashing away (it'll never make money but it's fun) and doing DNS for the home network and our mail server all over a wireless link. Seems plenty stable. I like it a lot! The idea was to stop leaving a full computer on 24/7 when something tiny and way less power hungry will do the job. So that's my bit to saving the environment :-)
My list of gripes are small and not really RPi related. The Gridseeds won't do SHA256d on the Pi, I have to go to a special windows build to do that but looking at it the gridseeds should be restricted to scrypt. They use 6 to 8 watts (4 apparently if you chop the fan) each and hash about as much as a reasonable graphics card (360 to 390 kH/s currently similar to R9 270). If you so SHA256d they use 5 or 10 times as much power.
I bought my first Pi to play with. It now does mail for our home domain, DNS and a nice gui for the dabble into crypto currency.
I bought a nice combo that had a B+ board, power supply, case, heatsinks and on top of that a wireless dongle as I want it to run in the garage which has no cabling.
Unpacked it and put it in it's case and put the heatsinks on. Easy. Plugged into the TV and booted NOOBs. Told it to install raspian and it was away. All nice and easy.
Raspian boots up with LXDE but you can, in theory, install just about anything. Set up the wifi network and a few test reboots all looked good. I played with overclocking but it just made it less stable. We'll revisit that one.
Things to do on a new RPi I now know: firmware update (sudo rpi-update) and full dist upgrade(sudo apt-get dist-upgrade) of raspian. Both seemed to help stability as I had some USB issues to start with. Go through the raspi-config settings carefully and go to advanced update rapi-config before anything else. I've dropped the GPU memory to 16MB as it'll barely ever use the display. I had to turn off overscan as well to see the whole desktop. Seems odd that's on by default.
I have a mail server running postfix, dovecot and roundcube. All these just installed on the RPi and worked. Copied the config files from the old server and merged them. Copy certs from the old server to RPi.
The next step was to test a Gridseed (scrypt hasher) and it picked it up fine. Install a system named minera (http://getminera.com) which can be a full SD image or install on a running system.
The surprising thing is the RPi just keeps taking this. It seems to have more than enough grunt to handle all this. It didn't do so well when I tried a minecraft server as well. Might need another one for that :-)
So it sits in the garage with 6 gridseeds hashing away (it'll never make money but it's fun) and doing DNS for the home network and our mail server all over a wireless link. Seems plenty stable. I like it a lot! The idea was to stop leaving a full computer on 24/7 when something tiny and way less power hungry will do the job. So that's my bit to saving the environment :-)
My list of gripes are small and not really RPi related. The Gridseeds won't do SHA256d on the Pi, I have to go to a special windows build to do that but looking at it the gridseeds should be restricted to scrypt. They use 6 to 8 watts (4 apparently if you chop the fan) each and hash about as much as a reasonable graphics card (360 to 390 kH/s currently similar to R9 270). If you so SHA256d they use 5 or 10 times as much power.
Thursday, 17 April 2014
Gentoo Linux and 802.11ac
I have an Intel 7260ac PCI card that never seem to go all that fast under Linux.
The NetworkManager widget said it was on channel 149 and doing about 130Mb but in Windows it gets 650 to 780 Mb in ac mode.
Turns out the NM widget was lying it was on 2.4 (so not channel 149) and was capped about 130Mb. I tried forcing it to 5GHz but it just roamed back to 2.4.
Hmm.. found a simple solution block the MAC on the 2.4GHz radio. Now it connects at the same speed as Windows on 5GHz. Simple really and not an issue if you have separate SSIDs.
The NetworkManager widget said it was on channel 149 and doing about 130Mb but in Windows it gets 650 to 780 Mb in ac mode.
Turns out the NM widget was lying it was on 2.4 (so not channel 149) and was capped about 130Mb. I tried forcing it to 5GHz but it just roamed back to 2.4.
Hmm.. found a simple solution block the MAC on the 2.4GHz radio. Now it connects at the same speed as Windows on 5GHz. Simple really and not an issue if you have separate SSIDs.
Saturday, 25 January 2014
30 second guide to setting up an interface mode VPN on Cisco IOS
This is like one of those recipe book type 1 page cheat sheets. This relies on you knowing IOS well enough to just need a jog.
So to set up an interface mode (Virtual tunnel interface in Cisco speak) vpn you need these commands:
crypto isakmp policy
crypto isakmp key
crypto ipsec transform set
crypto ipsec profile
policy-map maybe
class class-default
shape average 128000
int tun
ip address maybe or ip unnumbered vlan1 to tie to vlan1
tun source outsideIP
tun destin otherend
tunnel mode ipsec ipv4
tunnel protection ipsec profile
service-policy maybe?
ip route tun0 perm?
or use Ip and dynamic routing rip v2?
If you're switching from proxy style VPN then remove the crypto map unless you still have dynamic client vpns and remove the IPSec policy for the connection.
The tunnel ones are just so much nicer. No NAT hassles, easy policy QoS etc.
Also help diag commands:
sh crypto session detail
So to set up an interface mode (Virtual tunnel interface in Cisco speak) vpn you need these commands:
crypto isakmp policy
crypto isakmp key
crypto ipsec transform set
crypto ipsec profile
policy-map maybe
class class-default
shape average 128000
int tun
ip address maybe or ip unnumbered vlan1 to tie to vlan1
tun source outsideIP
tun destin otherend
tunnel mode ipsec ipv4
tunnel protection ipsec profile
service-policy maybe?
ip route tun0 perm?
or use Ip and dynamic routing rip v2?
If you're switching from proxy style VPN then remove the crypto map unless you still have dynamic client vpns and remove the IPSec policy for the connection.
The tunnel ones are just so much nicer. No NAT hassles, easy policy QoS etc.
Also help diag commands:
sh crypto session detail
Thursday, 16 January 2014
Certificates on Windows, AD CA etc
This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.
This is ripped from another blog (thanks rrustean.blogspot.com)
snip
cretate a file called c:\cert.inf with the following content:
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Now run the following:
certreq -new cert.inf outfile.req
Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.
snip
But that only goes half way.
To complete things for me loading a certificate into IIS I had to change the cert.inf file..
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Exportable = TRUE
The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.
Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.
This is ripped from another blog (thanks rrustean.blogspot.com)
snip
cretate a file called c:\cert.inf with the following content:
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Now run the following:
certreq -new cert.inf outfile.req
Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.
snip
But that only goes half way.
To complete things for me loading a certificate into IIS I had to change the cert.inf file..
[NewRequest]
Subject = "CN=www.mydoain.net, O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048
Exportable = TRUE
The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.
Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.
Sunday, 17 November 2013
Windows 8.1 update notes
Just some notes from my experience of Windows 8.1 upgrade.
1. It's slow to install. Like I'm sure it took longer than the initial install of Windows 8!
2. Start button is a have. Just goes to Metro. It's Metro I'm not a fan of, which is odd given I spend most of my time in Gnome 3 and I use metro in the same way. Press windows key and start typing. Metro is just to busy.
3. App problems. I was going to say none but VMWare player had to be repaired as the networking bridging sopped worked. I showed the interface as down and the bridge interface list was empty. After being repaired it was fine..
1. It's slow to install. Like I'm sure it took longer than the initial install of Windows 8!
2. Start button is a have. Just goes to Metro. It's Metro I'm not a fan of, which is odd given I spend most of my time in Gnome 3 and I use metro in the same way. Press windows key and start typing. Metro is just to busy.
3. App problems. I was going to say none but VMWare player had to be repaired as the networking bridging sopped worked. I showed the interface as down and the bridge interface list was empty. After being repaired it was fine..
Tuesday, 10 September 2013
Cisco IOS certificate handling
This is primarily for sslvpn type stuff first off.
I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them. All in all they rock. Thanks startssl.com
Importing the cert so I can use it on the router. Seems simple but there are some gotchas.
StartSSL give you a private key..
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D
yeahrightlikeimgoingtogiveyoumykey
-----END RSA PRIVATE KEY-----
and a public key
-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----
First gotcha all they guides i've seen are old and say
crypto ca import
Most new IOS use instead
crypto pki
Second big gotcha is the IOS doesn't do AES. So see in the private key, 3rd line it has AES we need to convert that.
It's easy if you have a Mac or a Linux box. With windows you need to install openssl.
Save your private key on your Desktop as oldkey.pem, open the terminal and type
openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3
Open the newkey.pem file and your public key and download the CA certificate for your provider. They'll have a link in FAQs etc.
Log into the router, enable etc and go to config t.
To be continued
I use startssl.com for certs etc. They great, they're free for the common stuff and browsers recognise them. All in all they rock. Thanks startssl.com
Importing the cert so I can use it on the router. Seems simple but there are some gotchas.
StartSSL give you a private key..
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,32C45D65DFE1A50C983B5F75F341764D
yeahrightlikeimgoingtogiveyoumykey
-----END RSA PRIVATE KEY-----
and a public key
-----BEGIN CERTIFICATE-----
MIIGXjCCBUagAwIBAgIDC+X4MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
...
bZB1pUEw1HLbbuN66szP7jyua2YWbKm+Q2kdi9lOGFado4n1ka3Evc7N6e9gvKrk
ADc=
-----END CERTIFICATE-----
First gotcha all they guides i've seen are old and say
crypto ca import
Most new IOS use instead
crypto pki
Second big gotcha is the IOS doesn't do AES. So see in the private key, 3rd line it has AES we need to convert that.
It's easy if you have a Mac or a Linux box. With windows you need to install openssl.
Save your private key on your Desktop as oldkey.pem, open the terminal and type
openssl rsa -in Desktop\oldkey.pem -out Desktop\newkey.pem -des3
Open the newkey.pem file and your public key and download the CA certificate for your provider. They'll have a link in FAQs etc.
Log into the router, enable etc and go to config t.
To be continued
Subscribe to:
Posts (Atom)