IPSEC ( GRE tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
                                       10.0.0.1<---------GRE--------->10.0.0.2

#########################################################
### Cisco ###
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
 set transform-set tunnel
 set pfs group2
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 10.66.66.1
 tunnel destination 10.66.66.2
 tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.0.0.2
!
!
!
access-list 100 permit gre host 10.66.66.2 host 10.66.66.1
access-list 100 permit esp host 10.66.66.2 host 10.66.66.1
access-list 100 permit ahp host 10.66.66.2 host 10.66.66.1
access-list 100 permit udp host 10.66.66.2 host 10.66.66.1eq isakmp
access-list 100 deny   ip any any
access-list 101 permit gre host 10.66.66.1host 10.66.66.2 
access-list 101 permit esp host 10.66.66.1host 10.66.66.2 
access-list 101 permit ahp host 10.66.66.1host 10.66.66.2 
access-list 101 permit udp host 10.66.66.1host 10.66.66.2 eq isakmp
access-list 101 deny   ip any any

!

##############################################

### Debian8 ###

modprobe gre

ip tunnel add tun1 mode gre remote 10.66.66.1 local 10.66.66.2

ifconfig tun1 10.0.0.2 pointopoint 10.0.0.1 up

или

auto tun1

iface tun1 inet tunnel
        address 10.0.0.2
        netmask 255.255.255.252
        dstaddr 10.0.0.1
        local 10.66.66.2
        endpoint 10.66.66.1
        mode gre

root@debian:/home/tuhvatov# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default

    link/gre 0.0.0.0 brd 0.0.0.0

5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

6: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default

    link/gre 10.66.66.2 peer 10.66.66.1

    inet 10.0.0.2 peer 10.0.0.1/32 scope global tun1

       valid_lft forever preferred_lft forever

    inet6 fe80::5efe:a42:4202/64 scope link

       valid_lft forever preferred_lft forever

/etc/racoon/racoon.conf

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 10.66.66.2/32 47 address 10.66.66.1/32 47 {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 10.66.66.2/32 10.66.66.1/32 47 -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 10.66.66.1/32 10.66.66.2/32 47 -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

iptables -P INPUT     DROP

iptables -P FORWARD   DROP
iptables -P OUTPUT    ACCEPT
iptables -t filter -A INPUT -i tun1 -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p gre -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p esp -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT

https://www.altlinux.org/VPN_c_%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%BE%D0%B9_%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_(GRE_Racoon_OSPF)

http://www.rhd.ru/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html

DNAT в cisco

12.12.12.0/24 ===| R1 |====23.23.23.0/24=====| R2 | ===== 5.5.5.0/24 
                                                                                           | ===== 3.3.3.0/24 

==== on R1 ====
interface FastEthernet0/0
ip address 12.12.12.2 255.255.255.0
ip nat inside


interface FastEthernet1/0ip address 23.23.23.2 255.255.255.0
ip nat outside

ip nat outside source static tcp 5.5.5.5 23 3.3.3.3 23 extendable

итог, когда мы стучимся на 3.3.3.3, делается подмена на 5.5.5.5

IPSEC (mode tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24

##########################################################3
### Cisco ###

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
 set peer 10.66.66.2
 set transform-set tunnel
 set pfs group2
 match address MY-ACL
!
!
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 duplex auto
 speed auto
 crypto map TEST
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 deny   ip any any
!

##############################################

### Debian8 ###

root@debian:/etc/init.d# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

root@debian:/etc/racoon# cat /etc/racoon/psk.txt

# IPv4/v6 addresses

10.66.66.1      test

root@debian:/etc/racoon# cat /etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 3.3.3.0/24 any address 2.2.2.0/24 any {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

root@debian:/etc# cat /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
10.66.66.2.500                                10.66.66.1.500                                2f884599e608cee3:69f1cc4a2e88d065  9 I 10 M 2016-07-01 09:12:30      1

root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul  1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul  1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul  1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul  1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul  1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul  1 09:12:31 debian racoon: WARNING: attribute has been modified.

Ipsec Cisco + Mikrotik

Cisco 2811

!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp key SeCrEtKeY address 99.251.150.181
!
crypto ipsec transform-set PEER1 esp-aes 256 esp-md5-hmac
!
crypto map OUT 11 ipsec-isakmp
 set peer 99.251.150.181
 set security-association lifetime seconds 28800
 set transform-set PEER1
 set pfs group2
 match address 112
!
access-list 112 permit ip host 192.168.45.254 192.168.66.0 0.0.0.255

Cisco2811#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 3
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit



Mikrotik RB450G v6.27

/ip address

add address=192.168.66.1/24 interface=ether2-master-local network=\

    192.168.66.0

add address=99.251.150.181/24 interface=ether1 network=\

    99.251.150.0

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc  lifetime=8h

/ip ipsec peer
add address=212.66.129.54/32 enc-algorithm=des exchange-mode=aggressive \
    hash-algorithm=md5 lifetime=8h nat-traversal=no secret=SeCrEtKeY
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.45.0/24 sa-dst-address=212.66.129.54 sa-src-address=\
    99.251.150.181 src-address=192.168.66.0/24 tunnel=yes

Systemd custom script start/stop

You need two files: the script and the .service file (unit configuration file).
Make sure your script is executable and the first line (the shebang) is #!/bin/sh. Then create the .service file in /etc/systemd/system (a plain text file, let's call it vgaoff.service).
For example:

1. the script: /usr/bin/vgaoff
2. the unit file: /etc/systemd/system/vgaoff.service

Now, edit the unit file. Its content depends on how your script works:

If vgaoff just powers off the gpu, e.g.:

exec blah-blah pwrOFF etc 

then the content of vgaoff.service should be:

[Unit]
Description=Power-off gpu

[Service]
Type=oneshot
ExecStart=/usr/bin/vgaoff

[Install]
WantedBy=multi-user.target

If vgaoff is used to power off the GPU and also to power it back on, e.g.:

start() {
  exec blah-blah pwrOFF etc
}

stop() {
  exec blah-blah pwrON etc
}

case $1 in
  start|stop) "$1" ;;
esac

then the content of vgaoff.service should be:

[Unit]
Description=Power-off gpu

[Service]
Type=oneshot
ExecStart=/usr/bin/vgaoff start
ExecStop=/usr/bin/vgaoff stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Once you're done with the files, enable the service:

systemctl enable vgaoff.service

It should start automatically after rebooting the machine.

http://unix.stackexchange.com/questions/47695/how-to-write-startup-script-for-systemd
http://www.freedesktop.org/software/systemd/man/systemd.service.html

Бэкап и восстановление OpenWRT

Бэкап

1. Делаем бэкап конфигурации в LUCI "System → Backup".
2. Получаем список устаовленных пакетов:

   opkg list_installed | cut -f 1 -d ' '
   

Восстановление

1. Настраиваем роутер для выхода в и-нет.
2. Устанавливаем пакеты:

   opkg update && for i in $(cat /tmp/pkgs); do opkg install $i; done
   

3. Восстанавливаем конфигурацию в LUCI "System → Backup".
4. Пере-проверить активацию служб (например OpenVPN) в LUCI "System → Startup", так как эта опция не сохраняется в файле конфигурации.

Fast and Slow ACLs

Some ACL types require information which may not be already available to Squid. Checking them requires suspending work on the current request, querying some external source, and resuming work when the needed information becomes available. This is for example the case for DNS, authenticators or external authorization scripts. ACLs can thus be divided in FAST ACLs, which do not require going to external sources to be fulfilled, and SLOW ACLs, which do.

Fast ACLs include (as of squid 3.1.0.7):

• all (built-in)
• src
• dstdomain
• dstdom_regex
• myip
• arp
• src_as
• peername
• time
• url_regex
• urlpath_regex
• port
• myport
• myportname
• proto
• method
• http_status {R}
• browser
• referer_regex
• snmp_community
• maxconn
• max_user_ip
• req_mime_type
• req_header
• rep_mime_type {R}
• user_cert
• ca_cert

Slow ACLs include:

• dst
• dst_as
• srcdomain
• srcdom_regex
• ident
• ident_regex
• proxy_auth
• proxy_auth_regex
• external
• ext_user
• ext_user_regex

This list may be incomplete or out-of-date. See your squid.conf.documented file for details. ACL types marked with {R} are reply ACLs, see the dedicated FAQ chapter.

Squid caches the results of ACL lookups whenever possible, thus slow ACLs will not always need to go to the external data-source.

Knowing the behaviour of an ACL type is relevant because not all ACL matching directives support all kinds of ACLs. Some check-points will not suspend the request: they allow (or deny) immediately. If a SLOW acl has to be checked, and the results of the check are not cached, the corresponding ACL result will be as if it didn't match. In other words, such ACL types are in general not reliable in all access check clauses.

The following are SLOW access clauses:

• http_access
• adapted_http_access (2.x call this http_access2)
• http_reply_access
• url_rewrite_access
• storeurl_access
• location_rewrite_access
• always_direct
• never_direct
• cache

These are instead FAST access clauses:

• icp_access
• htcp_access
• htcp_clr_access
• miss_access
• ident_lookup_access
• reply_body_max_size {R}
• authenticate_ip_shortcircuit_access
• log_access
• header_access
• delay_access
• snmp_access
• cache_peer_access
• ssl_bump
• sslproxy_cert_error
• follow_x_forwarded_for

Thus the safest course of action is to only use fast ACLs in fast access clauses, and any kind of ACL in slow access clauses.