Category Archives: Debian

Computer, Debian, Linux, Operating Systems, Uncategorized

Linux Serial Console – Grub

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.

GRUB_DEFAULT=0
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8"

# Uncomment to disable graphical terminal (grub-pc only)
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480

# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true

/etc/inittab

T0:2345:respawn:/sbin/getty -L ttyS0 9600 vt100
Computer, Debian, Life, Linux, Programming

Subversion Homedir

Preparing the software:

apt-get install subversion libapache2-svn
sudo mkdir  /mnt/var/svn
chown www-data:www-data -R /mnt/var/svn

Apache Config:

<Location /svn>
DAV svn
   SVNParentPath /mnt/var/svn
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      AuthType Basic
      AuthName "Authorization Realm"
      AuthUserFile /mnt/var/svn/svnauthusers.txt
      Require valid-user
   </LimitExcept>
</Location>
sudo htpasswd -c /mnt/var/svn/svnauthusers.txt patrick.preuss 
sudo chown www-data:www-data /mnt/var/svn/svnauthusers.txt

sudo svnadmin create /mnt/var/svn/patrick.preuss
sudo chown www-data:www-data -R /mnt/var/svn/patrick.preuss

svn co http://10.0.12.10/svn/patrick.preuss
Cisco, Debian, DMVPN, Network, Routing, Security

DMVPN with Linux

14 Comments

I know since i discovered the DMVPN in 2004/5 this is a very intelligent combination of IPsec, GRE and NHRP. Many Thanks to the Guys at Cisco, Christoph, Frederick and all other.

This week i discovered “opennhrp” on sourceforge.

It took me a minute or two to have a VM with debian up and the needed tools installed.

I used VMWare with a bridged ethernet interface for testing, installed debian 4.0 netinstall iso and upgraded to sid / testing, so i got Kernel Version 2.6.26-1-686.

Then downloaded ipsec-tools-0.8-alpha20090126.tar.bz2 from the site. you have to install some libs and tools to build ipsec tools, like kernel headers and so on:-) and done some configure and make stuff.

I went to make opennhrp, well all done with out a problem to here.

Next i configured racoon and ipsec-tools and opennhrp like this:

   /etc/ipsec-tools.conf 
   #!/usr/sbin/setkey -f
   spdflush;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
   spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;


   /etc/racoon/racoon.conf 
   path pre_shared_key "/etc/racoon/psk.txt";
   remote anonymous {
      exchange_mode main,aggressive;
      lifetime time 24 hour;
      # nat_traversal on;
      script "/etc/opennhrp/racoon-ph1down.sh" phase1_down;
      proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 5;
      }
   }
   sainfo anonymous {
      lifetime time 12 hour;
      encryption_algorithm 3des, blowfish 448, rijndael;
      authentication_algorithm hmac_sha1, hmac_md5;
      compression_algorithm deflate;
   }


   /etc/racoon/psk.txt
   10.2.0.90 1234


   /etc/opennhrp/opennhrp.conf
   interface gre1
      map 172.255.255.1/24 10.2.0.90 register cisco
      cisco-authentication 1234
      shortcut

No get the Tunnel UP: 

   ip tunnel add gre1 mode gre key 1234 ttl 64
   ip addr add 172.255.255.2/24 dev gre1
   ip tunnel change gre1 local 10.0.81.115
   ip link set gre1 up

Now its time to get on the other side.

We are using a Cisco 1812 with c181x-advsecurityk9-mz.124-15.T7.bin running.

   crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 5
   !
   crypto isakmp key 1234 address 0.0.0.0 0.0.0.0
   !
   crypto ipsec transform-set TRANSFORMSET_3 esp-3des esp-sha-hmac
      mode transport
   !
   crypto ipsec profile Profile3
      set transform-set TRANSFORMSET_3
   !
   interface Tunnel888
      ip address 172.255.255.1 255.255.255.0
      no ip redirects
      no ip unreachables
      no ip proxy-arp
      ip mtu 1400
      ip flow ingress
      ip nhrp authentication 1234
      ip nhrp map multicast dynamic
      ip nhrp network-id 10064
      ip nhrp holdtime 360
      ip nhrp max-send 200 every 10
      ip route-cache same-interface
      ip tcp adjust-mss 1350
      load-interval 30
      tunnel source 10.2.0.90
      tunnel mode gre multipoint
      tunnel key 1234
      tunnel protection ipsec profile Profile3

and viola

   Router# sh dmvpn interface tunnel 888
   Load for five secs: 8%/3%; one minute: 9%; five minutes: 10%
   Time source is NTP, 22:14:22.148 CET Sat Feb 14 2009
   Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
   N - NATed, L - Local, X - No Socket
   # Ent --> Number of NHRP entries with same NBMA peer
   Tunnel888, Type:Hub, NHRP Peers:1,
   # Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
   ----- --------------- --------------- ----- -------- -----
   1 10.0.81.115 172.255.255.2 UP never D

   Router# ping 172.255.255.2
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.255.255.2, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

this looks great:-)
Many thanks Timo for doing such a impressiv work. I like the cisco for they impressiv boxes and i also like opensource software.

— edit February 15, 2009 at 12:09 am —

I found after a while no packets traveling, the nhrp registration had gone on the cisco side may be holdtimers differ so added “holding-time 360” to the opennhrp.conf , a opennhrpctl purge fixed the problem.

Computer, Debian, Linux, WAAS, WAE

Serial Console unter Debian

Leave a comment

http://www.howtoforge.com/setting_up_a_serial_console

Edit: /boot/grub/menu.lst

--- snip ---
# password topsecret
serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
terminal --timeout=10 serial console
--- snip ---

--- snip ---
title           Ubuntu 8.10, kernel 2.6.27-7-server
uuid            b25570ad-6302-4637-a897-d7a4cebf4a7f
kernel          /boot/vmlinuz-2.6.27-7-server root=UUID=b25570ad-6302-4637-a897-d7a4cebf4a7f ro quiet splash console=tty0 console=ttyS0,34800n8
initrd          /boot/initrd.img-2.6.27-7-server
--- snip ---

Edit: /etc/event.d/ttyS0

--- snip ---
# ttyS0 - getty
#
# This service maintains a getty on tty1 from the point the system is
# started until it is shut down again.

start on stopped rc2
start on stopped rc3
start on stopped rc4
start on stopped rc5

stop on runlevel 0
stop on runlevel 1
stop on runlevel 6

respawn
exec /sbin/getty -L ttyS0 38400 vt100
--- snip ----

Damit hätten wir dann eine Serielle Console auf der WAVE:-)

WAVE-274#virtual-blade 1 session
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Boot from (hd0,0) ext3   b25570ad-6302-4637-a897-d7a4cebf4a7f
Starting up ...
Loading, please wait...
Couldnt get a file descriptor referring to the console
19+0 records in
19+0 records out
kinit: name_to_dev_t(/dev/sda5) = dev(8,5)
kinit: trying to resume from /dev/sda5

--- output omited ---

Ubuntu 8.10 ubuntu ttyS0

ubuntu login: admin
Password:
Last login: Mon Dec  8 13:34:36 CET 2008 on ttyS0
Linux ubuntu 2.6.27-7-server #1 SMP Fri Oct 24 07:37:55 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/

System information as of Mon Dec  8 13:40:01 CET 2008

System load: 0.02             Memory usage: 5%   Processes:       46
Usage of /:  5.8% of 9.38GB   Swap usage:   0%   Users logged in: 0

Graph this data and manage this system at https://landscape.canonical.com/

admin@ubuntu:~$

So dann nur noch ein Backup und dann go baby go.

admin@ubuntu:~$ sudo su -
root@ubuntu:~# halt

Broadcast message from admin@ubuntu
      (/dev/ttyS0) at 13:43 ...

The system is going  * Saving the system clock
* Stopping firewall: ufw...                                             [ OK ]
* Asking all remaining processes to terminate...                        [ OK ]
* All processes ended within 2 seconds....                              [ OK ]
* Deconfiguring network interfaces...                                   [ OK ]
* Deactivating swap...                                                  [ OK ]
* Unmounting local filesystems...                                       [ OK ]
* Will now halt
halt: Unable to iterate IDE devices: No such file or directory
[  522.482593] Power down.
Connection closed by foreign host.

WAVE-274#copy virtual-blade 1 disk 1 ftp 192.168.200.5 / WAVE-274-LX.vb
Enter username for remote ftp server: ftp
Enter password for remote ftp server:

2460112690 bytes total
WAVE-274#
Cisco, Computer, Debian, Security

Kerberos und IOS

Leave a comment

Cisco IOS 12.2 Configuring Kerberos
Cisco IOS 12.4 Configuring Kerberos
Cisco IOS 12.4T Configuring Kerberos

moria# kadmin.local -q ‘addprinc -randkey host/ws-c2940-8tt-s.patrick-preuss.de’
moria# kadmin.local -q ‘ktadd -e DES-CBC-CRC:NORMAL -k /var/www/ios.keytab host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE’

Cisco IOS 121-22.EA11
aaa authentication login default krb5-telnet local krb5
aaa authentication login console-override local
aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/ws-c2940-8tt-s.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224540392 3 1 8 0<=?;79;5:>>:
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —

Cisco IOS 124-15.T5
aaa authentication login default krb5-telnet krb5 local
aaa authentication login console-override local
! Seams so 12.4 15 T 5 some bugs in kerberos code
! we should do some research in this point
! aaa authorization exec default local krb5-instance
kerberos local-realm PATRICK-PREUSS.DE
kerberos srvtab entry host/cisco1721.patrick-preuss.de@PATRICK-PREUSS.DE 1 1224539305 3 1 8 05>9898=?83
kerberos realm patrick-preuss.de PATRICK-PREUSS.DE
kerberos realm .patrick-preuss.de PATRICK-PREUSS.DE
kerberos server PATRICK-PREUSS.DE 10.0.12.32
kerberos instance map admin 15
kerberos credentials forward
— cisco —