Tag: Networking
Find External NAT Address using powershell
by Brian on Dec.21, 2021, under Computer Stuff, Networking, Windows Info
Sometimes, you need to know the external NAT address, but you can’t take over the console of the computer.
So, fire up powershell in the background, and run this command:
(Invoke-WebRequest -UseBasicParsing ifconfig.me/ip).Content.Trim()
Review time!! Boolean ANDing
by Brian on Oct.08, 2012, under General Info, Networking
A new, wild Nancy beat her husband hard.
ADDRESS – Get IP address 172.32.45.36 = 10101100.00100000.00101101.00100100
NETMASK – Get subnet mask 255.255.248.0 = 11111111.11111111.11111000.00000000 = /21
WILDCARD – Find wildcard mask/bits = 00000000.00000000.00000111.11111111 = 0.0.7.255 (11 bits)
NETWORK – Drop wildcard mask from IP address = 10101100.00100000.00101000.00000000 = 172.32.40.0
BROADCST – Add wildcard to the IP address = 10101100.00100000.00101111.11111111 = 172.32.47.255
HOSTMIN – Drop the wildcard mask, and add 1 = 10101100.00100000.00101000.00000001 = 172.32.40.1
HOSTMAX – Add the wildcard mask, minus 1 = 10101100.00100000.00101111.11111110 = 172.32.47.254
HOSTS/NET – 2*(WILDCARD_BITS)-2 = 2(11)-2 = 2x2x2x2x2x2x2x2x2x2x2 = 2048-2 = 2046
Find hosts per net using the formula 2 to the power of the bits in the wildcard mask, minus 2.
32-bit IPv4 Network Address
Octet1 Octet2 Octet3 Octet4
128|64|32|16|8|4|2|1.128|64|32|16|8|4|2|1.128|64|32|16|8|4|2|1.128|64|32|16|8|4|2|1
11111111 . 11111111 . 11111000 . 00000000 = 255.255.248.0
10101100 . 00100000 . 00101101 . 00100100 = 172.32.45.36
And I’m sorry, but no. I can’t make it ANY simpler than that. ;)
Check/Set Windows Server NTP configuration
by Brian on Jan.26, 2011, under General Info, Windows Info
net time /setsntp:"0.us.pool.ntp.org,1.us.pool.ntp.org,3.us.pool.ntp.org"
net stop w32time
net start w32time
w32tm /resync
The Russian Federation CIDR blocks are now allowed access to CryptedNets.org
by Brian on Feb.22, 2009, under General Info, Networking
Sorry for the drastic measure, but I’ve only got about 1mb up and 1mb down, and I hate to be used by anyone as a DDoS reflector. My DNS server no longer allows queries for the root nameservers, (thx again, Kiter) and the block list has been cleared. The entire world may now freely access this site, though I’m not sure what for, save for some comic relief, and sparsely located golden nuggets of networking knowledge.
If you *do* happen to be reading this, just drop a comment to say “hey”.
You don’t even need to register…
It won’t hurt a bit…
Just in case you ever run across an Emulex NetQue NQ03…
by Brian on May.04, 2008, under Networking
Thanks to Robert, this post is now new and improved! We’ve got Emulex NetQue03 manuals!
1. The NetQue Command Reference
2. The NetQue User Manual
3. The NetQue Windows NT Installation Guide
ALSO- It appears that we happen to have a perfectly functional Emulex NetQue03 Print Server for sale. If you need one, let me know, and I’ll put you in touch with the owner.
I had to change the default gateway on an Emulex NetQue NQ03 print server last Friday. Thankfully, the default root password was still in place. After logging in via telnet, I realised that I had no idea how to change it. I threw a few *NIX commands at it, and it responded either: Invalid command or Ambiguous command. (or something to that effect..) I’m not sure what OS this thing runs, but it didn’t like *anything* I threw at it. As I am not one to leave a piece of equipment malfunctioning, I *had* to figure this one out.
In any case, here’s what I now know. There is not a manual for this device to be found anywhere online. Emulex doesn’t even *mention* this device on their site in the “legacy products” section. So, log in via telnet. If you’re lucky, the default user account is username ‘admin’ with a blank password. You’ll get to a single shell prompt. (looks like this: > ) Then, to enter priveleged mode, type ‘su’, and hit enter. The default root password for the NQ03 is ‘system’. If you are successful, you’ll see a double shell prompt. (looks like this: >> )
The commands you need to change the default gateway are here:
Enter Username: admin
Enter Password: <enter>
> su
Enter Password: system <enter>
>> change node IP 111.222.333.444 gateway default <enter>
>> sync <enter>
>> sync <enter>
>> init delay 0 <enter>
This will drop your connection and reboot the device immediately. When it comes back, you can log in and issue the ‘show config’ command to verify that the gateway was successfully changed.
NOTE: Emulex has END-OF-LIFED all printer servers (NETJet, NETQue, NETQue Mate, NETQue Pocket, NETQue Pro2, NETQue Token), terminal/communications servers (P2500 series, P3000, P4000, P6000, P8000), remote access servers (ConnectPlus LT and Pro), and WAN adapters (XP, MPC, and DCP series) in the year 2000. No further software nor hardware updates will be provided. Manufacturing has ceased on these products. No new models will replace these products. Support and repair will remain available as a best effort. Emulex is focusing exclusively on Fibre Channel and Network Attached Storage (NAS) connectivity.
Configuring a Cisco PIX 501
by Brian on Jun.28, 2007, under Networking
If you’re using Windows 2000 (service pack 4 and higher), HyperTerminal is included. To access it, go to Start > Programs > Accessories > Communications, and click the HyperTerminal icon. When the program starts, type in “PIX.” At the bottom of the box, select COMÂ 1. In Properties, select 9600 bits per second; data bits: 8; parity: none; stop bits: 1; and flow control: none.
If you’re using the console to configure your PIX for the first time, you should see a message that says:
Pre-configure PIX Firewall now
through interactive prompts? [yes]?
Hit the Control-Z keys, and you’ll see the prompt. The “>” sign tells you that you’re in unprivileged mode, and that you can only view your current configuration. In order to change settings, you’ll have to switch to privileged mode. To do this, type “en” at the prompt. (You’ll see the hash symbol “#” when you’re in privileged mode.) It should look like this:
pixfirewall#
Wait a second: We haven’t entered a password yet. To do this, hit Return again to get to the prompt and enter a password.
Configuration Time
Because your router is “out of the box,” it has no default configuration. It doesn’t know its place in the universe, nor does it know what type of traffic you’d like it to forward or restrict. To tell it these things, we’ll go into “configure terminal” mode (or “conf t” for short). At the prompt, enter:
pixFirewall#config t
Now the prompt should look like this:
pixFirewall (config)#
The router, on the other hand, has no configuration (because we cancelled out of the setup). Any time you’d like to see the configuration, type the following at the command prompt:
pixFirewall(config)# wr tÂ
You should see it spit out something like the following:
PIX Version 6.3(3)
interface ethernet0 auto shutdown
interface ethernet1 100full shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<— More —>
Hit the space bar to continue, and you should see:
pager lines 24
mtu outside 1500
mtu inside 1500
no ip address outside
no ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no -server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
[OK]
pixfirewall(config)#
Assigning a Password
Fresh out of the box, a PIX firewall doesn’t have a password, so let’s assign one now. Type “enable password” and then enter a password. In our example, we’ll use the word “techst0ck.”
pixFirewall(config)# enable password techst0ck
Now we’ll bring up those two interfaces, as out of the box, they’re down.
pixFirewall(config)# interface ethernet0 auto
pixFirewall(config)# interface ethernet1 100full
You can see the status of these interfaces by typing:
pixFirewall(config)# show interfaces
That command will give you this:
interface ethernet0 “outside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b92
MTU 1500 bytes, BW 100000 Kbit full duplex
28354 packets input, 2040341 bytes, 0 no buffer
Received 28383 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/0) software (0/0)
interface ethernet1 “inside” is up, line protocol is up
Hardware is i82559 ethernet, address is 0011.92c5.6b94
MTU 1500 bytes, BW 100000 Kbit full duplex
246 packets input, 29521 bytes, 0 no buffer
Received 246 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks):
hardware (128/128) software
(0/1) output queue (curr/max blocks):
hardware (0/0) software (0/0)
Now that the interfaces are up, it’s time to assign both an inside and an outside IPÂ address. It is between these two addresses that your PIX will permit or deny traffic, so if this step isn’t done correctly, traffic cannot come in or leave your network correctly.
Let’s assume you assign your outside address dynamically (for instance, your ISPÂ automatically assigns you an IP address). To let your ISP autoassign one, type:
pixfirewall(config)# ip address outside dhcp
If there is a DHCPÂ server upstream from you that is properly configured to lease you an IP address, you’ll get a message similar to this one:
Allocated IP address =12.110.110.91, netmask =255.255.252.0, gateway = 12.110.110.1
If this doesn’t work, then you’ll need to manually assign your IP address on ethernet0. If your ISP told you your IP address is, say, 12.110.110.91/24, then you’d type in this:
pixFirewall(config)# ip address
outside 12.110.110.91
255.255.255.0
Once you’ve finished, you’ll need to set the IP addresses of the inside (ethernet1) interface as well.
pixFirewall(config)# ip address inside 10.1.1.1 255.255.255.0
The 10.x.y.z address we choose is a private IP address (also called a non-routable IP). We could’ve a chosen a wide range of IP addresses (10.0.0.0 through 10.255.255.255; 172.16.0.0 through 172.31.255.255; or 192.168.0.0 through 192.168.255.255), but we arbitrarily chose 10.1.1.0.24.
If everything goes according to plan, type:
pixFirewall(config)# show ip address
You’ll get something like this:
System IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0
Current IP Addresses:
ip address outside 12.110.110.91
255.255.252.0
ip address inside 10.1.1.1
255.255.255.0
Ethernet Considerations
In order for our inside (Ethernet1) and outside (Ethernet0) interfaces to work, they need to be configured properly with global addresses, NATÂ (network address translation), and routing. Without these, your PIX is just a box with two IP addresses and no way to translate inbound traffic to your public IP or public traffic to your internal addresses.
The PIX 501 is the smallest model from Cisco, so we’ll assume that your network isn’t too large. In this example, we’re only going to NAT your one public IP. Theoretically, you can NAT 254, although you’re limited to 10 devices unless you buy an upgrade license.
If you use DHCP, then you’ll need to configure the PIX to route outgoing traffic. Since it’s DHCP, we don’t really know where that is, as our ISP may very well decide to change our IP address without telling us. In this case, we’ll need to type in the following line:
pixfirewall(config)# ip address
outside dhcp setroute
If all went well, you should see something like this:
Allocated IP address =
12.110.110.91, netmask =
255.255.252.0, gateway =
>12.110.110.1
If all didn’t go as planned, you’ll have to manually add your route:
pixFirewall(config)# route outside
0.0.0.0 0.0.0.0 12.110.110.1
To double-check that route, type:
pixFirewall(config)# sh route
And, in the case of our first DHCP example, you should get something similar to the following:
pixfirewall(config)# sh route
outside 0.0.0.0 0.0.0.0
12.110.110.1 1 DHCP static
outside 12.110.110.0
255.255.252.0 66.215.246.91 1
CONNECT static
inside 10.1.1.0 255.255.255.0
10.1.1.1 1 CONNECT static
Now that the PIX knows what to do with outgoing traffic (send it upstream to another router), we now need to give it specific instructions on how to translate traffic between the two interfaces. Use this command to make that happen:pixfirewall(config)# nat (inside) 1
10.1.1.0 255.255.255.0
pixfirewall(config)# global
(outside) 1 interface
If you did this correctly, the second line will give the message:
outside interface address added to PAT pool
Now your PIX has been configured to translate traffic between your public (12.110.110.91) address and your private 10.1.1.0/24 network. The only thing left now is to configure the DHCP server on the internal interface. Doing so will allow the PIX to automatically assign IP addresses to those on your network; similar to the way an ISP automatically assigns IPs to its users. To do this, follow these instructions:
pixfirewall(config)# dhcpd address 10.1.1.32-10.1.1.63 inside
pixfirewall(config)# dhcpd dns 4.2.2.1 4.2.2.2
pixfirewall(config)# dhcpd lease 3600
pixfirewall(config)# dhcpd ping_timeout 750
pixfirewall(config)# dhcpd enable inside
One note on the DHCP server configuration above is that you may have to obtain DNSÂ numbers from your provider. If you don’t have those numbers readily available or aren’t sure what to do, you can use 4.2.2.1 and 4.2.2.2. The only problem is that these numbers might not quickly resolve your Web pages as your own ISP, so you should consider using numbers your ISP provides.
If all has gone well up to this point, computers that are plugged into the back of your PIX (in slots 1 through 4) should have no problem getting on the Internet. In fact, if you go to any of these computers and (assuming you’re running Windows 2000 or Windows XP) go to Start>Run and type “cmd,” you can test the connection. At the prompt, type:
C:ipconfig
Your IP address, which should lie somewhere between 10.1.1.32 and 10.1.1.63, should be displayed if your network settings were configured to obtain an IP automatically. If an IP address showed up, type:
C:ping 10.1.1.1
And you should get a response similar to this:
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Reply from 10.1.1.1: bytes=32 time<10ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Saving Your Configuration to Memory
If all went well, and your DNS is properly working, you should be able to open your browser and surf the Internet as usual. If that’s the case, let’s proceed to saving the running configuration to memory.
pixFirewall(config)# wr m
Building configuration…
Cryptochecksum: 2083012d dc56002e ebb9e5d3 f405a373
[OK]
Security Considerations
At this point, the question often arises, “How secure am I?” The answer: Not nearly as secure as you’ll ultimately want to be. Thanks to Cisco’s Adaptive Security Algorithm ( ASA), the firewall settings are similar to the default settings of a home Linksys or Netgear router: All outbound traffic is permitted (unless expressly prohibited), and all inbound traffic is denied (unless expressly permitted). Your network will no doubt need much more security than this, so you will need to either read through Cisco’s documentation or hire a networking consultant.
If you’re curious about Cisco’s ASA settings, type in “wr t” from the command line and you’ll see something like this:
Building configuration…
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
In the end, the “security0” and “security100” both specify the security level of each interface. Cisco’s ASA allows traffic to pass from trusted (100) to untrusted (0), but not the reverse. With our configuration, internal traffic can pass freely to the outside because its security level is higher.If you host a Web server, and most, if not all, of your traffic is coming from the outside, how do you let that traffic in? The answer lies with Cisco’s use of Access Control Lists (ACLs). An in-depth look at how ACLs work is beyond the scope of this article, but Cisco’s Using PIX Firewall Commands can help you configure the firewall. And if you’re really stuck, consider hiring a professional network administrator.
At best, poorly configured ACLs can mean sporadic connectivity; at worst, it can mean huge security breaches in your network. What’s especially dangerous for new network administrators is the temptation to do things a certain way because “it works.” In a desperate effort to make things work, they often create ACLs that are too permissive, leaving open big holes for malicious hackers or crackers to exploit.
Clearing the EXEC password from a Cisco 675/678 DSL Router
by Brian on Jul.27, 2005, under Networking
To clear Exec Password if it isnt remembered… (Don’t ask…)
[Warning: This will erase your current configuration!]
At password prompt unplug powercord for 3 seconds plug in again.
Just after the alarm light comes on press (CTRL + C) and the router
should go to a special prompt.
Type (es 6) and press enter. The router will indicate that it is erasing
sector 00000006.
When done simply unplug the power and start from beginning.
(Your config is now gone!)
Hope you have a backup…
How to setup a Cisco 7960G with SIP
by Brian on Jul.04, 2005, under Networking
I went to the Cisco 7960G Software Download Site and downloaded the P0S3-7-4-00.zip file which contained the 7.4 SIP Flash Image for 7940/7960 IP Phone’s.
Power on your phone and connect it to your network. You will need to change the IP address of your phone to a free one on your network or set it up to use DHCP, which is the way mine was configured by default.
There are apprently a couple of ways to unlock your phone depending on which verison of firmware that you have installed. For older phones you will need to press **# or on newer firmware select unlock config from the config menu and then type in the password (default is ‘cisco’).
My phone was using older firmware (3.1 MF.G2) so I hit the settings hard key on the phone, moved the “cursor†to option 3, but don’t select it just yet. Press **#, then press the select soft key on the 7960’s screen. You should see the padlock icon with an unlocked appearance. Press 32 and see if you have a YES option (alternate TFTP). If so press yes, then go to option 8 and edit the IP address.
From the CLI of your Asterisk box type: setup-cisco. This command will setup a basic SIPDefault.cnf in the /tftpboot directory of your Asterisk box.
Upload the P0S3-7-4-00.zip file to your servers TFTP root directory wihch in my case was /tftpboot on the A@H server. Don’t unzip it on your workstation and upload it. For some reason it doesn’t work.
From within your /tftbboot directory on your Asterisk box type uzip P0S3-7-4-00.zip.
From the command line type cp /tftpboot/cisco_util/* /tftpboot.
From the command line type chmod 777 /tftpboot/*.
Reboot your 7960 by disconnecting the power cable. Your phone should be able to aquire its IP from the DHCP server (if that is how you have it configured), connect to the TFTP server and start the upgrading your phone to the 7.4 release of the SIP firmware.
Once your phone has completed the upgrade, you will need to type rm /tftpboot/xmlDefault.CNF.XML and rm /tftpboot/XMLDefault.cnf.xml from the command line on your Asterisk box.
Windows XP to OpenBSD VPN Configuration
by Brian on May.13, 2005, under Networking, OpenBSD, Windows Info
Re: OpenBSD VPN
From: Peter Grießl (griesslihs.ac.at)
Date: Thu Feb 17 2005 – 02:29:22 CST
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
——————————————————————————–
Mark Maxey wrote:
>
> My incoming hosts will be a mixture of Windows XP/2000 and Linux
> clients, but knowledgeable users. Preferably this solution would be
> able to use a free client or use the ipsec/vpn capabilities built into
> MS windows.
>
Hi Mark,
use IPsec – Windows 2000/XP has builtin support for IPsec, no need for any
extra client software.
The only magic is the configuration; in theory one can configure IPsec
using clicksy graphical interfaces (Management Console …), practically
you cannot. But tunnel setup is perfectly possible using a simple
batch file and the MS tools ipsecpol.exe (W2k) or ipseccmd.exe (XP).
for certificates, we use http://www.klake.org/~jt/mkca
The clients only need to install the *.p12 certificate file (double-click
installation does not work, you have to go through MMC – Certificate SnapIn
– right-click Personal – All Tasks – Import – Wizard – browse to the *.p12
file – password – change the certificate store to “Automatically select
the certificate store based on the type of certificate” – next – complete –
finish
XPSP2: start testing with firewall disabled (note: tunnel works ok with
firewall enabled, only problems using icmp – XPSP2-bug)
Personal Firewalls (Norton, McAfee): some work together with IPsec, some
don’t (some have to be completely deinstalled to make IPsec work, disabling
does not help)
Users must have administrative rights to set up the IPsec-tunnel on 2000/XP.
So, here are the batchfiles we use:
START_VPN.BAT (call with Samba-username and Samba-password as arguments)
————-
echo off
set VPNPATH=c:ihsvpn
title please wait …
rem we have two ipsec gateways, one batchfile
set WLANGW=143.130.40.1
set DMZGW=143.130.36.2
set USER=%1
set PASS=%2
rem 2000 or XP ?
ver | findstr 2000
if not errorlevel 1 goto 2000
ver | findstr XP
if not errorlevel 1 goto XP
goto OUT
:2000
set TOOL=ipsecpol
goto OSOK
:XP
set TOOL=ipseccmd
:OSOK
rem disable and delete old ipsec policy (sometimes required,
rem user did not call stop_vpn.bat last time)
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
rem Which gateway is accessible?
ping -n 3 %WLANGW% | find “TTL” > NUL
if not errorlevel 1 goto WLAN
ping -n 3 %DMZGW% | find “TTL” > NUL
if not errorlevel 1 goto DMZ
goto EXIT
:WLAN
set IPSECGW=%WLANGW%
goto DOIT
:DMZ
set IPSECGW=%DMZGW%
:DOIT
REM all traffic to our net should go through the ipsec tunnel
set ROUTE=143.130.32.0/255.255.240.0
REM find client’s ip address
set ipaddr=
for /F “tokens=2 delims=:” %%f in (‘ipconfig ^| findstr dress’) do set
ipaddr=%%f
if “%ipaddr%”==”” goto EXIT
REM trim space
set ipaddr=%ipaddr:~1%
REM DHCP-server?
set dhcp=
for /F “tokens=2 delims=:” %%f in (‘ipconfig /all ^| findstr /C:”DHCP
Server”‘) do set dhcp=%%f
REM trim space
set dhcp=%dhcp:~1%
REM create IPSEC policy and activate tunnel
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -t %ipsecgw% -f 0=%ROUTE% -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -t %ipaddr% -f %ROUTE%=0 -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
if %dhcp%==~1 goto activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -t %ipsecgw% -f
0:68=%dhcp%:67:UDP -n PASS
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -t %ipaddr% -f
%dhcp%:67=0:68:UDP -n PASS
:activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -x
REM negotiate and check IPSEC
rem ping the samba server to setup and check the ipsec tunnel
ping -n 4 143.130.45.10 < ======= doesn't work with
XPSP2 FW enabled
nbtstat -A 143.130.45.10
ping -n 2 143.130.45.10 | find "TTL" <======= ................
if not errorlevel 1 goto MOUNT
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
goto EXIT
REM mount network drives (if you need this)
:MOUNT
rem mount your samba shares (net use .... %USER% %PASS%)
goto OUT
:EXIT
echo Something went wrong, sorry!
:OUT
exit
STOP_VPN.BAT
------------
echo off
set VPNPATH=c:ihsvpn
title please wait ...
rem unmount samba shares
rem net use .... /d
rem 2000 or XP ?
ver | findstr 2000
if not errorlevel 1 goto 2000
ver | findstr XP
if not errorlevel 1 goto XP
goto EXIT
:2000
set TOOL=ipsecpol
goto OSOK
:XP
set TOOL=ipseccmd
:OSOK
rem disable and delete ipsec policy
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
:EXIT
exit
here are the OpenBSDs (3.6) config files:
/etc/isakmpd/isakmpd.conf
# --- Global options
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 143.130.40.1
Shared-SADB= Defined
Renegotiate-on-HUP= Defined
# --- X.509 certificate locations
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
# --- IKE Phase 1 & 2
[Phase 1]
Default= Client-phase1
[Phase 2]
Passive-Connections= Client-phase2
[Client-phase1]
Phase= 1
Transport= udp
Local-address= 143.130.40.1
Configuration= Default-main-mode
ID= My-ID
[My-ID]
ID-type= FQDN
Name= ipsecgw.ihs.ac.at
[Client-phase2]
Phase= 2
ISAKMP-peer= Client-phase1
Local-ID= All-networks
Remote-ID= Unknown-address
# --- Network details
[All-networks]
ID-Type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Unknown-address]
ID-Type= IPV4_ADDR
Address= 0.0.0.0
# --- Main and quick mode transforms
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= Phase1-Lifetime
[Phase1-Lifetime]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,60:86400
/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "DN:/C=AT/ST=Austria/L=Vienna/O=Institute for Advanced
Studies/OU=IHS/CN=Institute for Advanced Studies"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
remote_id_type == "ASN1 DN" &&
esp_enc_alg != "null" -> “true”;
Hope that helps!
Greetings from cold Vienna,
Peter Griessl, griesslihs.ac.at