According to this article, Mike Lynn has found 15 new, more dangerous flaws in Cisco IOS software.
“Essentially there are more bugs, and they’ve gagged me from telling anyone the details of what they are,” Lynn said.

To clear Exec Password if it isnt remembered… (Don’t ask…)
[Warning: This will erase your current configuration!]
At password prompt unplug powercord for 3 seconds plug in again.
Just after the alarm light comes on press (CTRL + C) and the router
should go to a special prompt.

Type (es 6) and press enter. The router will indicate that it is erasing
sector 00000006.
When done simply unplug the power and start from beginning.
(Your config is now gone!)
Hope you have a backup…

I went to the Cisco 7960G Software Download Site and downloaded the P0S3-7-4-00.zip file which contained the 7.4 SIP Flash Image for 7940/7960 IP Phone’s.
Power on your phone and connect it to your network. You will need to change the IP address of your phone to a free one on your network or set it up to use DHCP, which is the way mine was configured by default.
There are apprently a couple of ways to unlock your phone depending on which verison of firmware that you have installed. For older phones you will need to press **# or on newer firmware select unlock config from the config menu and then type in the password (default is ‘cisco’).
My phone was using older firmware (3.1 MF.G2) so I hit the settings hard key on the phone, moved the “cursor” to option 3, but don’t select it just yet. Press **#, then press the select soft key on the 7960’s screen. You should see the padlock icon with an unlocked appearance. Press 32 and see if you have a YES option (alternate TFTP). If so press yes, then go to option 8 and edit the IP address.
From the CLI of your Asterisk box type: setup-cisco. This command will setup a basic SIPDefault.cnf in the /tftpboot directory of your Asterisk box.
Upload the P0S3-7-4-00.zip file to your servers TFTP root directory wihch in my case was /tftpboot on the A@H server. Don’t unzip it on your workstation and upload it. For some reason it doesn’t work.
From within your /tftbboot directory on your Asterisk box type uzip P0S3-7-4-00.zip.
From the command line type cp /tftpboot/cisco_util/* /tftpboot.
From the command line type chmod 777 /tftpboot/*.
Reboot your 7960 by disconnecting the power cable. Your phone should be able to aquire its IP from the DHCP server (if that is how you have it configured), connect to the TFTP server and start the upgrading your phone to the 7.4 release of the SIP firmware.
Once your phone has completed the upgrade, you will need to type rm /tftpboot/xmlDefault.CNF.XML and rm /tftpboot/XMLDefault.cnf.xml from the command line on your Asterisk box.

VoIP for the common folk.. Will PC Phoning prevail?
Yahoo has released a beta that includes PC-to-PC phoning. Read about it here.

Re: OpenBSD VPN

From: Peter Grießl (griesslihs.ac.at)
Date: Thu Feb 17 2005 – 02:29:22 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

——————————————————————————–

Mark Maxey wrote:

>
> My incoming hosts will be a mixture of Windows XP/2000 and Linux
> clients, but knowledgeable users. Preferably this solution would be
> able to use a free client or use the ipsec/vpn capabilities built into
> MS windows.
>

Hi Mark,
use IPsec – Windows 2000/XP has builtin support for IPsec, no need for any
extra client software.
The only magic is the configuration; in theory one can configure IPsec
using clicksy graphical interfaces (Management Console …), practically
you cannot. But tunnel setup is perfectly possible using a simple
batch file and the MS tools ipsecpol.exe (W2k) or ipseccmd.exe (XP).

for certificates, we use http://www.klake.org/~jt/mkca

The clients only need to install the *.p12 certificate file (double-click
installation does not work, you have to go through MMC – Certificate SnapIn
– right-click Personal – All Tasks – Import – Wizard – browse to the *.p12
file – password – change the certificate store to “Automatically select
the certificate store based on the type of certificate” – next – complete –
finish

XPSP2: start testing with firewall disabled (note: tunnel works ok with
firewall enabled, only problems using icmp – XPSP2-bug)

Personal Firewalls (Norton, McAfee): some work together with IPsec, some
don’t (some have to be completely deinstalled to make IPsec work, disabling
does not help)

Users must have administrative rights to set up the IPsec-tunnel on 2000/XP.

So, here are the batchfiles we use:

START_VPN.BAT (call with Samba-username and Samba-password as arguments)
————-

echo off
set VPNPATH=c:ihsvpn
title please wait …

rem we have two ipsec gateways, one batchfile
set WLANGW=143.130.40.1
set DMZGW=143.130.36.2
set USER=%1
set PASS=%2

rem 2000 or XP ?

ver | findstr 2000
if not errorlevel 1 goto 2000
ver | findstr XP
if not errorlevel 1 goto XP
goto OUT
:2000
set TOOL=ipsecpol
goto OSOK
:XP
set TOOL=ipseccmd
:OSOK

rem disable and delete old ipsec policy (sometimes required,
rem user did not call stop_vpn.bat last time)

%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o

rem Which gateway is accessible?

ping -n 3 %WLANGW% | find “TTL” > NUL
if not errorlevel 1 goto WLAN
ping -n 3 %DMZGW% | find “TTL” > NUL
if not errorlevel 1 goto DMZ
goto EXIT
:WLAN
set IPSECGW=%WLANGW%
goto DOIT
:DMZ
set IPSECGW=%DMZGW%
:DOIT

REM all traffic to our net should go through the ipsec tunnel

set ROUTE=143.130.32.0/255.255.240.0

REM find client’s ip address

set ipaddr=
for /F “tokens=2 delims=:” %%f in (‘ipconfig ^| findstr dress’) do set
ipaddr=%%f
if “%ipaddr%”==”” goto EXIT
REM trim space
set ipaddr=%ipaddr:~1%

REM DHCP-server?

set dhcp=
for /F “tokens=2 delims=:” %%f in (‘ipconfig /all ^| findstr /C:”DHCP
Server”‘) do set dhcp=%%f
REM trim space
set dhcp=%dhcp:~1%

REM create IPSEC policy and activate tunnel

%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -t %ipsecgw% -f 0=%ROUTE% -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -t %ipaddr% -f %ROUTE%=0 -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
if %dhcp%==~1 goto activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -t %ipsecgw% -f
0:68=%dhcp%:67:UDP -n PASS
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -t %ipaddr% -f
%dhcp%:67=0:68:UDP -n PASS
:activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -x

REM negotiate and check IPSEC

rem ping the samba server to setup and check the ipsec tunnel
ping -n 4 143.130.45.10 < ======= doesn't work with XPSP2 FW enabled nbtstat -A 143.130.45.10 ping -n 2 143.130.45.10 | find "TTL" <======= ................ if not errorlevel 1 goto MOUNT %VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y %VPNPATH%%TOOL% -w REG -p IHSVPN -o goto EXIT REM mount network drives (if you need this) :MOUNT rem mount your samba shares (net use .... %USER% %PASS%) goto OUT :EXIT echo Something went wrong, sorry! :OUT exit STOP_VPN.BAT ------------ echo off set VPNPATH=c:ihsvpn title please wait ... rem unmount samba shares rem net use .... /d rem 2000 or XP ? ver | findstr 2000 if not errorlevel 1 goto 2000 ver | findstr XP if not errorlevel 1 goto XP goto EXIT :2000 set TOOL=ipsecpol goto OSOK :XP set TOOL=ipseccmd :OSOK rem disable and delete ipsec policy %VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y %VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y %VPNPATH%%TOOL% -w REG -p IHSVPN -o :EXIT exit here are the OpenBSDs (3.6) config files: /etc/isakmpd/isakmpd.conf # --- Global options [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= 143.130.40.1 Shared-SADB= Defined Renegotiate-on-HUP= Defined # --- X.509 certificate locations [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key= /etc/isakmpd/private/local.key # --- IKE Phase 1 & 2 [Phase 1] Default= Client-phase1 [Phase 2] Passive-Connections= Client-phase2 [Client-phase1] Phase= 1 Transport= udp Local-address= 143.130.40.1 Configuration= Default-main-mode ID= My-ID [My-ID] ID-type= FQDN Name= ipsecgw.ihs.ac.at [Client-phase2] Phase= 2 ISAKMP-peer= Client-phase1 Local-ID= All-networks Remote-ID= Unknown-address # --- Network details [All-networks] ID-Type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [Unknown-address] ID-Type= IPV4_ADDR Address= 0.0.0.0 # --- Main and quick mode transforms [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-RSA_SIG [3DES-SHA-RSA_SIG] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= RSA_SIG AUTHENTICATION_ALGORITHM= HMAC_SHA Life= Phase1-Lifetime [Phase1-Lifetime] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,60:86400 /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "DN:/C=AT/ST=Austria/L=Vienna/O=Institute for Advanced Studies/OU=IHS/CN=Institute for Advanced Studies" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && remote_id_type == "ASN1 DN" && esp_enc_alg != "null" -> “true”;

Hope that helps!
Greetings from cold Vienna,
Peter Griessl, griesslihs.ac.at

Check it out, It will be in St. Cloud, MN on May 10th.
Here’s the invitation.
Stop by if you can, it’s always a good time.