This way we can spoof the mac address of our nic card in linux.
ifconfig eth0 down
ifconfig eth0 hw ether 00:00:AA:BB:CC:DD
ifconfig eth0 up
Wednesday, December 16, 2009
Sunday, December 13, 2009
TCP Replay
This is really a nice tool specially in case of malformed packets doing something wrong in your network.
In ASR1000 router we can capture the last packet which made the crash or traceback or any stupid thing it's not suppose to do.
so getting this packet from the customer network is an easy thing (that comes from GPM memory).
now you can replay the packet using the tcpreplay option and you are all set to test the same attack in your lab (without using the code/tool the person used to crash the box)>:)
Lnx-------------Router------------Otherside
1st change the source and destination packet address as per your network(it's must you know why)
-changing the ip add
[root@mrbu-devtest dujoshi]# tcprewrite -i gpm-packet.pcap --pnat 87.244.12.179/16:192.168.100.1/16 -o abc.pcap
-Changing the mac address
[root@mrbu-devtest dujoshi]# tcprewrite -i gpm-packet.pcap --enet-smac=00:21:d8:59:7f:0c,00:22:64:c3:64:94 -o abcd.pcap
and then you can run the tcpreplay
[root@mrbu-devtest dujoshi]# tcpreplay -i eth1 abcd.pcap
sending out eth1
processing file: abcd.pcap
Actual: 1 packets (180 bytes) sent in 0.01 seconds
Rated: 18000.0 bps, 0.14 Mbps, 100.00 pps
Statistics for network device: eth1
Attempted packets: 1
Successful packets: 1
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
[root@mrbu-devtest dujoshi]#
In ASR1000 router we can capture the last packet which made the crash or traceback or any stupid thing it's not suppose to do.
so getting this packet from the customer network is an easy thing (that comes from GPM memory).
now you can replay the packet using the tcpreplay option and you are all set to test the same attack in your lab (without using the code/tool the person used to crash the box)>:)
Lnx-------------Router------------Otherside
1st change the source and destination packet address as per your network(it's must you know why)
-changing the ip add
[root@mrbu-devtest dujoshi]# tcprewrite -i gpm-packet.pcap --pnat 87.244.12.179/16:192.168.100.1/16 -o abc.pcap
-Changing the mac address
[root@mrbu-devtest dujoshi]# tcprewrite -i gpm-packet.pcap --enet-smac=00:21:d8:59:7f:0c,00:22:64:c3:64:94 -o abcd.pcap
and then you can run the tcpreplay
[root@mrbu-devtest dujoshi]# tcpreplay -i eth1 abcd.pcap
sending out eth1
processing file: abcd.pcap
Actual: 1 packets (180 bytes) sent in 0.01 seconds
Rated: 18000.0 bps, 0.14 Mbps, 100.00 pps
Statistics for network device: eth1
Attempted packets: 1
Successful packets: 1
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
[root@mrbu-devtest dujoshi]#
Sunday, November 1, 2009
OSPF
OSPF:
=======
R1--------------------------R2
1.1.1.1 1.1.1.2
R1 loopback is 21.1.1.1
R2 loopback is 31.1.1.1
Show commands output
R1 configs:
============
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 21.1.1.0 0.0.0.255 area 0
R2 Configs:
=============
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 31.1.1.0 0.0.0.255 area 0
Now let's think about the CLI output for all the OSPF CLI's.
1-
R1#sh ip ospf 1
Routing Process "ospf 1" with ID 21.1.1.1
Start time: 3w1d, Time elapsed: 00:18:33.104
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 00:07:33.784 ago
SPF algorithm executed 1 times
Area ranges are
Number of LSA 3. Checksum Sum 0x0218C4
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R1#
R1#sh ip ospf interface f6/0
FastEthernet6/0 is up, line protocol is up
Internet Address 1.1.1.1/24, Area 0
Process ID 1, Router ID 21.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 31.1.1.1, Interface address 1.1.1.2
Backup Designated router (ID) 21.1.1.1, Interface address 1.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 31.1.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
R1#
R1#sh ip ospf database
OSPF Router with ID (21.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
21.1.1.1 21.1.1.1 483 0x80000004 0x00DAF2 2
31.1.1.1 31.1.1.1 761 0x80000003 0x00604F 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.2 31.1.1.1 761 0x80000001 0x003E9A
R1#
OSPF Neighbour
================
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 FULL/DR 00:00:37 1.1.1.2 FastEthernet6/0
R1#
R1#
R1#
*Nov 1 13:14:12.932 IST: OSPF: Interface FastEthernet6/0 going Up
*Nov 1 13:14:12.932 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:13.276 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:13.276 IST: OSPF: Send immediate hello to nbr 31.1.1.1, src address 1.1.1.2, on FastEthernet6/0
*Nov 1 13:14:13.276 IST: OSPF: Send hello to 1.1.1.2 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:13.276 IST: OSPF: End of hello processing
*Nov 1 13:14:13.432 IST: OSPF: Build router LSA for area 0, router ID 21.1.1.1, seq 0x80000002, process 1
*Nov 1 13:14:22.328 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:22.328 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:22.328 IST: OSPF: 2 Way Communication to 31.1.1.1 on FastEthernet6/0, state 2WAY
*Nov 1 13:14:22.328 IST: OSPF: End of hello processing
*Nov 1 13:14:22.808 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:22.808 IST: OSPF: End of hello processing
*Nov 1 13:14:31.428 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:32.548 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:32.548 IST: OSPF: End of hello processing
*Nov 1 13:14:40.484 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:41.728 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:41.728 IST: OSPF: End of hello processing
*Nov 1 13:14:50.204 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:51.648 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:51.648 IST: OSPF: End of hello processing
*Nov 1 13:14:52.932 IST: OSPF: end of Wait on interface FastEthernet6/0 =========> end the wait and now start selection.
*Nov 1 13:14:52.932 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:14:52.932 IST: OSPF: Elect BDR 31.1.1.1
*Nov 1 13:14:52.932 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:14:52.932 IST: DR: 31.1.1.1 (Id) BDR: 31.1.1.1 (Id)
*Nov 1 13:14:52.932 IST: OSPF: FastEthernet6/0 Nbr 31.1.1.1: Prepare dbase exchange
*Nov 1 13:14:52.932 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x246C opt 0x52 flag 0x7 len 32
*Nov 1 13:14:53.276 IST: OSPF: Rcv DBD from 31.1.1.1 on FastEthernet6/0 seq 0x23DF opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Nov 1 13:14:53.276 IST: OSPF: NBR Negotiation Done. We are the SLAVE
*Nov 1 13:14:53.276 IST: OSPF: FastEthernet6/0 Nbr 31.1.1.1: Summary list built, size 1
*Nov 1 13:14:53.276 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x23DF opt 0x52 flag 0x2 len 52
*Nov 1 13:14:53.280 IST: OSPF: Rcv DBD from 31.1.1.1 on FastEthernet6/0 seq 0x23E0 opt 0x52 flag 0x1 len 52 mtu 1500 state EXCHANGE
*Nov 1 13:14:53.280 IST: OSPF: Exchange Done with 31.1.1.1 on FastEthernet6/0
*Nov 1 13:14:53.280 IST: OSPF: Send LS REQ to 31.1.1.1 length 12 LSA count 1
*Nov 1 13:14:53.280 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x23E0 opt 0x52 flag 0x0 len 32
*Nov 1 13:14:53.280 IST: OSPF: Rcv LS UPD from 31.1.1.1 on FastEthernet6/0 length 76 LSA count 1
*Nov 1 13:14:53.280 IST: OSPF: Synchronized with 31.1.1.1 on FastEthernet6/0, state FULL
*Nov 1 13:14:53.280 IST: %OSPF-5-ADJCHG: Process 1, Nbr 31.1.1.1 on FastEthernet6/0 from LOADING to FULL, Loading Done
*Nov 1 13:14:53.280 IST: OSPF: Rcv LS REQ from 31.1.1.1 on FastEthernet6/0 length 36 LSA count 1
*Nov 1 13:14:53.432 IST: OSPF: Build router LSA for area 0, router ID 21.1.1.1, seq 0x80000003, process 1
*Nov 1 13:15:00.020 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:15:00.836 IST: OSPF: Neighbor change Event on interface FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: DR: 31.1.1.1 (Id) BDR: 21.1.1.1 (Id)
*Nov 1 13:15:00.836 IST: OSPF: Neighbor change Event on interface FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: DR: 31.1.1.1 (Id) BDR: 21.1.1.1 (Id)
*Nov 1 13:15:00.836 IST: OSPF: End of hello processing
R1#
=======
R1--------------------------R2
1.1.1.1 1.1.1.2
R1 loopback is 21.1.1.1
R2 loopback is 31.1.1.1
Show commands output
R1 configs:
============
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 21.1.1.0 0.0.0.255 area 0
R2 Configs:
=============
router ospf 1
log-adjacency-changes
network 1.1.1.0 0.0.0.255 area 0
network 31.1.1.0 0.0.0.255 area 0
Now let's think about the CLI output for all the OSPF CLI's.
1-
R1#sh ip ospf 1
Routing Process "ospf 1" with ID 21.1.1.1
Start time: 3w1d, Time elapsed: 00:18:33.104
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 0. Checksum Sum 0x000000
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Area BACKBONE(0)
Number of interfaces in this area is 2 (1 loopback)
Area has no authentication
SPF algorithm last executed 00:07:33.784 ago
SPF algorithm executed 1 times
Area ranges are
Number of LSA 3. Checksum Sum 0x0218C4
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R1#
R1#sh ip ospf interface f6/0
FastEthernet6/0 is up, line protocol is up
Internet Address 1.1.1.1/24, Area 0
Process ID 1, Router ID 21.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 31.1.1.1, Interface address 1.1.1.2
Backup Designated router (ID) 21.1.1.1, Interface address 1.1.1.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Cisco NSF helper support enabled
IETF NSF helper support enabled
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 31.1.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
R1#
R1#sh ip ospf database
OSPF Router with ID (21.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
21.1.1.1 21.1.1.1 483 0x80000004 0x00DAF2 2
31.1.1.1 31.1.1.1 761 0x80000003 0x00604F 2
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.2 31.1.1.1 761 0x80000001 0x003E9A
R1#
OSPF Neighbour
================
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
31.1.1.1 1 FULL/DR 00:00:37 1.1.1.2 FastEthernet6/0
R1#
R1#
R1#
*Nov 1 13:14:12.932 IST: OSPF: Interface FastEthernet6/0 going Up
*Nov 1 13:14:12.932 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:13.276 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:13.276 IST: OSPF: Send immediate hello to nbr 31.1.1.1, src address 1.1.1.2, on FastEthernet6/0
*Nov 1 13:14:13.276 IST: OSPF: Send hello to 1.1.1.2 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:13.276 IST: OSPF: End of hello processing
*Nov 1 13:14:13.432 IST: OSPF: Build router LSA for area 0, router ID 21.1.1.1, seq 0x80000002, process 1
*Nov 1 13:14:22.328 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:22.328 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:22.328 IST: OSPF: 2 Way Communication to 31.1.1.1 on FastEthernet6/0, state 2WAY
*Nov 1 13:14:22.328 IST: OSPF: End of hello processing
*Nov 1 13:14:22.808 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:22.808 IST: OSPF: End of hello processing
*Nov 1 13:14:31.428 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:32.548 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:32.548 IST: OSPF: End of hello processing
*Nov 1 13:14:40.484 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:41.728 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:41.728 IST: OSPF: End of hello processing
*Nov 1 13:14:50.204 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:14:51.648 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:14:51.648 IST: OSPF: End of hello processing
*Nov 1 13:14:52.932 IST: OSPF: end of Wait on interface FastEthernet6/0 =========> end the wait and now start selection.
*Nov 1 13:14:52.932 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:14:52.932 IST: OSPF: Elect BDR 31.1.1.1
*Nov 1 13:14:52.932 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:14:52.932 IST: DR: 31.1.1.1 (Id) BDR: 31.1.1.1 (Id)
*Nov 1 13:14:52.932 IST: OSPF: FastEthernet6/0 Nbr 31.1.1.1: Prepare dbase exchange
*Nov 1 13:14:52.932 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x246C opt 0x52 flag 0x7 len 32
*Nov 1 13:14:53.276 IST: OSPF: Rcv DBD from 31.1.1.1 on FastEthernet6/0 seq 0x23DF opt 0x52 flag 0x7 len 32 mtu 1500 state EXSTART
*Nov 1 13:14:53.276 IST: OSPF: NBR Negotiation Done. We are the SLAVE
*Nov 1 13:14:53.276 IST: OSPF: FastEthernet6/0 Nbr 31.1.1.1: Summary list built, size 1
*Nov 1 13:14:53.276 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x23DF opt 0x52 flag 0x2 len 52
*Nov 1 13:14:53.280 IST: OSPF: Rcv DBD from 31.1.1.1 on FastEthernet6/0 seq 0x23E0 opt 0x52 flag 0x1 len 52 mtu 1500 state EXCHANGE
*Nov 1 13:14:53.280 IST: OSPF: Exchange Done with 31.1.1.1 on FastEthernet6/0
*Nov 1 13:14:53.280 IST: OSPF: Send LS REQ to 31.1.1.1 length 12 LSA count 1
*Nov 1 13:14:53.280 IST: OSPF: Send DBD to 31.1.1.1 on FastEthernet6/0 seq 0x23E0 opt 0x52 flag 0x0 len 32
*Nov 1 13:14:53.280 IST: OSPF: Rcv LS UPD from 31.1.1.1 on FastEthernet6/0 length 76 LSA count 1
*Nov 1 13:14:53.280 IST: OSPF: Synchronized with 31.1.1.1 on FastEthernet6/0, state FULL
*Nov 1 13:14:53.280 IST: %OSPF-5-ADJCHG: Process 1, Nbr 31.1.1.1 on FastEthernet6/0 from LOADING to FULL, Loading Done
*Nov 1 13:14:53.280 IST: OSPF: Rcv LS REQ from 31.1.1.1 on FastEthernet6/0 length 36 LSA count 1
*Nov 1 13:14:53.432 IST: OSPF: Build router LSA for area 0, router ID 21.1.1.1, seq 0x80000003, process 1
*Nov 1 13:15:00.020 IST: OSPF: Send hello to 224.0.0.5 area 0 on FastEthernet6/0 from 1.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Rcv hello from 31.1.1.1 area 0 from FastEthernet6/0 1.1.1.2
*Nov 1 13:15:00.836 IST: OSPF: Neighbor change Event on interface FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: DR: 31.1.1.1 (Id) BDR: 21.1.1.1 (Id)
*Nov 1 13:15:00.836 IST: OSPF: Neighbor change Event on interface FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: DR/BDR election on FastEthernet6/0
*Nov 1 13:15:00.836 IST: OSPF: Elect BDR 21.1.1.1
*Nov 1 13:15:00.836 IST: OSPF: Elect DR 31.1.1.1
*Nov 1 13:15:00.836 IST: DR: 31.1.1.1 (Id) BDR: 21.1.1.1 (Id)
*Nov 1 13:15:00.836 IST: OSPF: End of hello processing
R1#
Monday, October 5, 2009
Xterm best options.
here is what i really love in my xterm
xterm -bg black -fg green -title "best setting so far" -sb -sl 10000 &
100000 line buffer is good enough..:)
xterm -bg black -fg green -title "best setting so far" -sb -sl 10000 &
100000 line buffer is good enough..:)
Wednesday, July 29, 2009
how to setup ipsec tunnel.
7200MCP --------------------- CALLGEN1
1.1.1.1 3.3.3.3
show run of both
CALLGEN1#sh run
CALLGEN1#sh running-config
Building configuration...
Current configuration : 1773 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CALLGEN1
!
boot-start-marker
boot system disk0:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
logging buffered emergencies
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip host CALLGEN-SECURITY-V2 81.15.16.49 78.10.0.0
ip vrf GREEN
rd 213:112
!
ip vrf RED
rd 1:1
!
ip vrf abc
!
ip vrf xyz
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 1.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
no ip address
!
interface FastEthernet0/0
no ip address
duplex half
!
interface GigabitEthernet1/0
no ip address
negotiation auto
!
interface FastEthernet6/0
ip address 3.3.3.3 255.255.255.0
duplex half
speed auto
crypto map vpn
!
interface FastEthernet6/1
ip address 2.2.2.1 255.255.255.0
duplex auto
speed auto
!
router rip
network 209.168.0.0
!
ip forward-protocol nd
ip route 1.1.1.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
CALLGEN1#
7200 MCP configs
=======================
72MCP#sh running-config
Building configuration...
Current configuration : 1999 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname 72MCP
!
boot-start-marker
boot system disk1:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone IST 5
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip vrf GREEN
!
ip vrf RED
rd 1:1
!
ip vrf VPN1
rd 1:12
!
ip vrf vpn1-out
rd 100:1
!
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 3.3.3.3
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback12
ip address 2.2.2.4 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface FastEthernet3/0
no ip address
duplex auto
speed auto
!
interface FastEthernet3/1
no ip address
duplex auto
speed auto
!
interface FastEthernet6/0
ip address 1.1.1.1 255.255.255.0
duplex half
crypto map vpn
!
router rip
network 209.165.0.0
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
tftp-server disk1:c7200-adventerprisek9-mz.124-22.4.T
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
gateway
timer receive-rtp 1200
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
72MCP#
LOGS:
72MCP#
*Jul 29 05:14:16.419 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (N) NEW SA
*Jul 29 05:14:16.419 IST: ISAKMP: Created a peer struct for 3.3.3.3, peer port 500
*Jul 29 05:14:16.419 IST: ISAKMP: New peer created peer = 0x67F3103C peer_handle = 0x80000027
*Jul 29 05:14:16.419 IST: ISAKMP: Locking peer struct 0x67F3103C, refcount 1 for crypto_isakmp_process_block
*Jul 29 05:14:16.419 IST: ISAKMP: local port 500, remote port 500
*Jul 29 05:14:16.419 IST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67F2E6D8
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): local preshared key found
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy -----> Here is the exchanged info.
*Jul 29 05:14:16.423 IST: ISAKMP: encryption 3DES-CBC
*Jul 29 05:14:16.423 IST: ISAKMP: hash SHA
*Jul 29 05:14:16.423 IST: ISAKMP: default group 1
*Jul 29 05:14:16.423 IST: ISAKMP: auth pre-share
*Jul 29 05:14:16.423 IST: ISAKMP: life type in seconds
*Jul 29 05:14:16.423 IST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 29 05:14:16.423 IST: ISAKMP:(0):atts are acceptable. Next payload is 0 ------------> here it's saying it's acceptable.
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Returning Actual lifetime: 86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0)::Started lifetime timer: 86400.
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 29 05:14:16.423 IST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul 29 05:14:16.423 IST: ISAKMP:(0): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 29 05:14:16.431 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 29 05:14:16.431 IST: ISAKMP:(0): processing KE payload. message ID = 0 -------1
*Jul 29 05:14:16.447 IST: ISAKMP:(0): processing NONCE payload. message ID = 0-------------->2
*Jul 29 05:14:16.447 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3------------->3
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is DPD
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): speaking to another IOS box!
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID seems Unity/DPD but major 202 mismatch
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is XAUTH
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): His hash no match - this node outside NAT
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): No NAT Found for self or peer
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 29 05:14:16.475 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing ID payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 3.3.3.3
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing HASH payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 67F2E6D8
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA has been authenticated with 3.3.3.3
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1 remote 3.3.3.3 remote port 500
*Jul 29 05:14:16.475 IST: ISAKMP: Trying to insert a peer 1.1.1.1/3.3.3.3/500/, and inserted successfully 67F3103C.
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Total payload length: 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 29 05:14:16.483 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP: set new node 1209569574 to QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing HASH payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing SA payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Checking IPSec proposal 1
*Jul 29 05:14:16.483 IST: ISAKMP: transform 1, ESP_3DES
*Jul 29 05:14:16.483 IST: ISAKMP: attributes in transform:
*Jul 29 05:14:16.483 IST: ISAKMP: encaps is 1 (Tunnel)
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in seconds
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (basic) of 3600
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in kilobytes
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 29 05:14:16.483 IST: ISAKMP: authenticator is HMAC-MD5
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):atts are acceptable.
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing NONCE payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):QM Responder gets spi
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): Creating IPSec SAs --------------------------------------------->1
*Jul 29 05:14:16.483 IST: inbound SA from 3.3.3.3 to 1.1.1.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.483 IST: has spi 0x755AF835 and conn_id 0
*Jul 29 05:14:16.483 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.483 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.483 IST: outbound SA from 1.1.1.1 to 3.3.3.3 (f/i) 0/0---------------------->2
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.487 IST: has spi 0x259DA62E and conn_id 0
*Jul 29 05:14:16.487 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.487 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.487 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jul 29 05:14:16.491 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):deleting node 1209569574 error FALSE reason "QM done (await)"
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
72MCP#
72MCP#
72MCP#show crypto map
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 3.3.3.3
Extended IP access list 101
access-list 101 permit ip any any
Current peer: 3.3.3.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map vpn:
FastEthernet6/0
Interfaces using crypto map vpnmap:
72MCP#
72MCP#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1014 1.1.1.1 3.3.3.3 ACTIVE 3des sha psk 1 23:46:12
Engine-id:Conn-id = SW:14
IPv6 Crypto ISAKMP SA
72MCP#
72MCP#show crypto isakmp peer
Peer: 3.3.3.3 Port: 500 Local: 1.1.1.1
Phase1 id: 3.3.3.3
72MCP#
72MCP#show crypto ipsec sa detail
PFS (Y/N): N, DH group: none
interface: FastEthernet6/0
Crypto map tag: vpn, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet6/0
current outbound spi: 0x259DA62E(631088686)
inbound esp sas:
spi: 0x755AF835(1968896053)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 427, flow_id: SW:427, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x259DA62E(631088686)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 428, flow_id: SW:428, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
72MCP#
72MCP#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet6/0
Uptime: 00:15:10
Session status: UP-ACTIVE
Peer: 3.3.3.3 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 3.3.3.3
Desc: (none)
IKE SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active
Capabilities:(none) connid:1014 lifetime:23:44:49
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 8 drop 0 life (KB/Sec) 4557478/2689
Outbound: #pkts enc'ed 8 drop 0 life (KB/Sec) 4557478/2689
72MCP#
72MCP#show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
427 IPsec 3DES+MD5 0 8 1.1.1.1
428 IPsec 3DES+MD5 8 0 1.1.1.1
1014 IKE SHA+3DES 0 0 1.1.1.1
72MCP#
1.1.1.1 3.3.3.3
show run of both
CALLGEN1#sh run
CALLGEN1#sh running-config
Building configuration...
Current configuration : 1773 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CALLGEN1
!
boot-start-marker
boot system disk0:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
logging buffered emergencies
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip host CALLGEN-SECURITY-V2 81.15.16.49 78.10.0.0
ip vrf GREEN
rd 213:112
!
ip vrf RED
rd 1:1
!
ip vrf abc
!
ip vrf xyz
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 1.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
no ip address
!
interface FastEthernet0/0
no ip address
duplex half
!
interface GigabitEthernet1/0
no ip address
negotiation auto
!
interface FastEthernet6/0
ip address 3.3.3.3 255.255.255.0
duplex half
speed auto
crypto map vpn
!
interface FastEthernet6/1
ip address 2.2.2.1 255.255.255.0
duplex auto
speed auto
!
router rip
network 209.168.0.0
!
ip forward-protocol nd
ip route 1.1.1.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
CALLGEN1#
7200 MCP configs
=======================
72MCP#sh running-config
Building configuration...
Current configuration : 1999 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname 72MCP
!
boot-start-marker
boot system disk1:c7200-adventerprisek9-mz.124-22.4.T
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone IST 5
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip vrf GREEN
!
ip vrf RED
rd 1:1
!
ip vrf VPN1
rd 1:12
!
ip vrf vpn1-out
rd 100:1
!
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
no crypto xauth FastEthernet6/0
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key abc address 3.3.3.3
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set myset
match address 101
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback12
ip address 2.2.2.4 255.255.255.0
!
interface Ethernet0/0
no ip address
shutdown
duplex auto
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
media-type gbic
negotiation auto
!
interface FastEthernet3/0
no ip address
duplex auto
speed auto
!
interface FastEthernet3/1
no ip address
duplex auto
speed auto
!
interface FastEthernet6/0
ip address 1.1.1.1 255.255.255.0
duplex half
crypto map vpn
!
router rip
network 209.165.0.0
!
ip forward-protocol nd
ip route 3.3.3.0 255.255.255.0 FastEthernet6/0
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip any any
access-list 105 permit ip any any
!
!
!
!
!
!
tftp-server disk1:c7200-adventerprisek9-mz.124-22.4.T
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
dial-peer cor custom
!
!
!
gateway
timer receive-rtp 1200
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
72MCP#
LOGS:
72MCP#
*Jul 29 05:14:16.419 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (N) NEW SA
*Jul 29 05:14:16.419 IST: ISAKMP: Created a peer struct for 3.3.3.3, peer port 500
*Jul 29 05:14:16.419 IST: ISAKMP: New peer created peer = 0x67F3103C peer_handle = 0x80000027
*Jul 29 05:14:16.419 IST: ISAKMP: Locking peer struct 0x67F3103C, refcount 1 for crypto_isakmp_process_block
*Jul 29 05:14:16.419 IST: ISAKMP: local port 500, remote port 500
*Jul 29 05:14:16.419 IST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67F2E6D8
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): local preshared key found
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy -----> Here is the exchanged info.
*Jul 29 05:14:16.423 IST: ISAKMP: encryption 3DES-CBC
*Jul 29 05:14:16.423 IST: ISAKMP: hash SHA
*Jul 29 05:14:16.423 IST: ISAKMP: default group 1
*Jul 29 05:14:16.423 IST: ISAKMP: auth pre-share
*Jul 29 05:14:16.423 IST: ISAKMP: life type in seconds
*Jul 29 05:14:16.423 IST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jul 29 05:14:16.423 IST: ISAKMP:(0):atts are acceptable. Next payload is 0 ------------> here it's saying it's acceptable.
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Acceptable atts:life: 0
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Returning Actual lifetime: 86400
*Jul 29 05:14:16.423 IST: ISAKMP:(0)::Started lifetime timer: 86400.
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP (0): vendor ID is NAT-T v7
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v3
*Jul 29 05:14:16.423 IST: ISAKMP:(0): processing vendor id payload
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 29 05:14:16.423 IST: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.423 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jul 29 05:14:16.423 IST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul 29 05:14:16.423 IST: ISAKMP:(0): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.427 IST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jul 29 05:14:16.431 IST: ISAKMP (0): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_SA_SETUP
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.431 IST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jul 29 05:14:16.431 IST: ISAKMP:(0): processing KE payload. message ID = 0 -------1
*Jul 29 05:14:16.447 IST: ISAKMP:(0): processing NONCE payload. message ID = 0-------------->2
*Jul 29 05:14:16.447 IST: ISAKMP:(0):found peer pre-shared key matching 3.3.3.3------------->3
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is DPD
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): speaking to another IOS box!
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): processing vendor id payload
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID seems Unity/DPD but major 202 mismatch
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): vendor ID is XAUTH
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): His hash no match - this node outside NAT
*Jul 29 05:14:16.451 IST: ISAKMP:received payload type 20
*Jul 29 05:14:16.451 IST: ISAKMP (1014): No NAT Found for self or peer
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jul 29 05:14:16.451 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.451 IST: ISAKMP:(1014):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jul 29 05:14:16.475 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing ID payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 3.3.3.3
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing HASH payload. message ID = 0
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 67F2E6D8
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA has been authenticated with 3.3.3.3
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA authentication status:
authenticated
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): Process initial contact,
bring down existing phase 1 and 2 SA's with local 1.1.1.1 remote 3.3.3.3 remote port 500
*Jul 29 05:14:16.475 IST: ISAKMP: Trying to insert a peer 1.1.1.1/3.3.3.3/500/, and inserted successfully 67F3103C.
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul 29 05:14:16.475 IST: ISAKMP (1014): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Total payload length: 12
*Jul 29 05:14:16.475 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jul 29 05:14:16.475 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 29 05:14:16.479 IST: ISAKMP:(1014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 29 05:14:16.483 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP: set new node 1209569574 to QM_IDLE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing HASH payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing SA payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Checking IPSec proposal 1
*Jul 29 05:14:16.483 IST: ISAKMP: transform 1, ESP_3DES
*Jul 29 05:14:16.483 IST: ISAKMP: attributes in transform:
*Jul 29 05:14:16.483 IST: ISAKMP: encaps is 1 (Tunnel)
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in seconds
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (basic) of 3600
*Jul 29 05:14:16.483 IST: ISAKMP: SA life type in kilobytes
*Jul 29 05:14:16.483 IST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jul 29 05:14:16.483 IST: ISAKMP: authenticator is HMAC-MD5
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):atts are acceptable.
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing NONCE payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): processing ID payload. message ID = 1209569574
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):QM Responder gets spi
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.483 IST: ISAKMP:(1014):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Jul 29 05:14:16.483 IST: ISAKMP:(1014): Creating IPSec SAs --------------------------------------------->1
*Jul 29 05:14:16.483 IST: inbound SA from 3.3.3.3 to 1.1.1.1 (f/i) 0/ 0
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.483 IST: has spi 0x755AF835 and conn_id 0
*Jul 29 05:14:16.483 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.483 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.483 IST: outbound SA from 1.1.1.1 to 3.3.3.3 (f/i) 0/0---------------------->2
(proxy 0.0.0.0 to 0.0.0.0)
*Jul 29 05:14:16.487 IST: has spi 0x259DA62E and conn_id 0
*Jul 29 05:14:16.487 IST: lifetime of 3600 seconds
*Jul 29 05:14:16.487 IST: lifetime of 4608000 kilobytes
*Jul 29 05:14:16.487 IST: ISAKMP:(1014): sending packet to 3.3.3.3 my_port 500 peer_port 500 (R) QM_IDLE
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Sending an IKE IPv4 Packet.
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Jul 29 05:14:16.487 IST: ISAKMP:(1014):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*Jul 29 05:14:16.491 IST: ISAKMP (1014): received packet from 3.3.3.3 dport 500 sport 500 Global (R) QM_IDLE
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):deleting node 1209569574 error FALSE reason "QM done (await)"
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Node 1209569574, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jul 29 05:14:16.491 IST: ISAKMP:(1014):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
72MCP#
72MCP#
72MCP#show crypto map
Crypto Map "vpn" 10 ipsec-isakmp
Peer = 3.3.3.3
Extended IP access list 101
access-list 101 permit ip any any
Current peer: 3.3.3.3
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map vpn:
FastEthernet6/0
Interfaces using crypto map vpnmap:
72MCP#
72MCP#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1014 1.1.1.1 3.3.3.3 ACTIVE 3des sha psk 1 23:46:12
Engine-id:Conn-id = SW:14
IPv6 Crypto ISAKMP SA
72MCP#
72MCP#show crypto isakmp peer
Peer: 3.3.3.3 Port: 500 Local: 1.1.1.1
Phase1 id: 3.3.3.3
72MCP#
72MCP#show crypto ipsec sa detail
PFS (Y/N): N, DH group: none
interface: FastEthernet6/0
Crypto map tag: vpn, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.3.3.3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet6/0
current outbound spi: 0x259DA62E(631088686)
inbound esp sas:
spi: 0x755AF835(1968896053)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 427, flow_id: SW:427, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x259DA62E(631088686)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 428, flow_id: SW:428, sibling_flags 80000046, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4557478/2717)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
72MCP#
72MCP#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet6/0
Uptime: 00:15:10
Session status: UP-ACTIVE
Peer: 3.3.3.3 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 3.3.3.3
Desc: (none)
IKE SA: local 1.1.1.1/500 remote 3.3.3.3/500 Active
Capabilities:(none) connid:1014 lifetime:23:44:49
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 8 drop 0 life (KB/Sec) 4557478/2689
Outbound: #pkts enc'ed 8 drop 0 life (KB/Sec) 4557478/2689
72MCP#
72MCP#show crypto engine connection active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
427 IPsec 3DES+MD5 0 8 1.1.1.1
428 IPsec 3DES+MD5 8 0 1.1.1.1
1014 IKE SHA+3DES 0 0 1.1.1.1
72MCP#
Wednesday, May 27, 2009
Setting up your own VPN Client and Server
Here the the configs and way to set up your own VPN server and client
Download a VPN client from cisco web site and have the setup something similar to the below one
Laptop/PC--------Cisco Router
X Y
Suppose pc is having X ip address and router's ip address is Y.
!----Put AAA here i'm putting local authentication we can do otherwise aswell-----
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username dujoshi password 0 lab
!------dujoshi will be the username and password for remote user.
!−−− Create an Internet Security Association and
!−−− Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
encr 3des
authentication pre−share
group 2
crypto isakmp client configuration group 3000client
key cisco123
dns x.x.x.x (IP address should be the same as the connected interface of router, Y in our case)
domain cisco.com
pool ippool
crypto ipsec transform−set myset esp−3des esp−sha−hmac
!
!−−− Create a dynamic map and
!−−− apply the transform set that was created above.
crypto dynamic−map dynmap 10
set transform−set myset
!
!−−− Create the actual crypto map,
!−−− and apply the aaa lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec−isakmp dynamic dynmap
!−−− Create a pool of addresses to be assigned to the VPN Clients.
ip local pool ippool 14.1.1.100 14.1.1.200
int
crypto map clientmap
!
Now in your VPN-Client put the following
GW the ip address of your router interface (our case it's Y)
in group access information put
NAME: 300Client
PASSWORD: cisco123
Way of working in Deployment :-
==================================
Initially you'll be connected to the router using a static/dynamic ip given by your service provider to you.
say
(PC)-------(SP-ROUTER)----Internet-----(CiscoVPNServer)
Now in the above case you are free to use internet via Service Provider(SP router).
now when you want to connect to the CiscoVPNServer you will start your vncClient on your pc and you'll try to connect to the VPN.
The password prompt you'll put Your name and password.
once the authentication is done, there will be a tunnel from PC to CiscoVPNServer, and now everypacket will go via this IPSEC tunnel, now your PC would be having two IP's one VPN-IP which CiscoVPNServer has given to you.
Now everything from your PC will go to CiscoRouter and in encrypted format, and even the internet browsing will be done via Cisco Network.
Will talk more about IPSEC and VPN in other posts.
this is the simplest way to try VPN-Client and Server.
Download a VPN client from cisco web site and have the setup something similar to the below one
Laptop/PC--------Cisco Router
X Y
Suppose pc is having X ip address and router's ip address is Y.
!----Put AAA here i'm putting local authentication we can do otherwise aswell-----
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username dujoshi password 0 lab
!------dujoshi will be the username and password for remote user.
!−−− Create an Internet Security Association and
!−−− Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
encr 3des
authentication pre−share
group 2
crypto isakmp client configuration group 3000client
key cisco123
dns x.x.x.x (IP address should be the same as the connected interface of router, Y in our case)
domain cisco.com
pool ippool
crypto ipsec transform−set myset esp−3des esp−sha−hmac
!
!−−− Create a dynamic map and
!−−− apply the transform set that was created above.
crypto dynamic−map dynmap 10
set transform−set myset
!
!−−− Create the actual crypto map,
!−−− and apply the aaa lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec−isakmp dynamic dynmap
!−−− Create a pool of addresses to be assigned to the VPN Clients.
ip local pool ippool 14.1.1.100 14.1.1.200
int
crypto map clientmap
!
Now in your VPN-Client put the following
GW the ip address of your router interface (our case it's Y)
in group access information put
NAME: 300Client
PASSWORD: cisco123
Way of working in Deployment :-
==================================
Initially you'll be connected to the router using a static/dynamic ip given by your service provider to you.
say
(PC)-------(SP-ROUTER)----Internet-----(CiscoVPNServer)
Now in the above case you are free to use internet via Service Provider(SP router).
now when you want to connect to the CiscoVPNServer you will start your vncClient on your pc and you'll try to connect to the VPN.
The password prompt you'll put Your name and password.
once the authentication is done, there will be a tunnel from PC to CiscoVPNServer, and now everypacket will go via this IPSEC tunnel, now your PC would be having two IP's one VPN-IP which CiscoVPNServer has given to you.
Now everything from your PC will go to CiscoRouter and in encrypted format, and even the internet browsing will be done via Cisco Network.
Will talk more about IPSEC and VPN in other posts.
this is the simplest way to try VPN-Client and Server.
Monday, May 11, 2009
hands with RTP streaming.
1- We can run the normal way putting the video/audio file in a player and play it on our html page.
[root@mrbu-devtest html]# ls
a.html index.html synchronizeddance.wmv
[root@mrbu-devtest html]#
[root@mrbu-devtest html]#
{[root@mrbu-devtest html]# cat a.html
This is our new web server . Happy Innovation Day !!!
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" >
autoplay="true"
controller="true">
[root@mrbu-devtest html]# }
[root@mrbu-devtest html]# ls
a.html index.html synchronizeddance.wmv
[root@mrbu-devtest html]#
[root@mrbu-devtest html]#
{[root@mrbu-devtest html]# cat a.html
This is our new web server . Happy Innovation Day !!!
classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" >
autoplay="true"
controller="true">
[root@mrbu-devtest html]# }
Wednesday, May 6, 2009
Installing webserver on linux.
1- Check if httpd is running on the box or not
[root@mrbu-devtest html]# netstat -tunlp | grep 80
tcp 0 0 0.0.0.0:5801 0.0.0.0:* LISTEN 7042/Xvnc
tcp 0 0 0.0.0.0:5802 0.0.0.0:* LISTEN 28998/Xvnc
tcp 0 0 0.0.0.0:5803 0.0.0.0:* LISTEN 29895/Xvnc
tcp 0 0 0.0.0.0:5804 0.0.0.0:* LISTEN 1446/Xvnc
tcp 0 0 0.0.0.0:5805 0.0.0.0:* LISTEN 1572/Xvnc
tcp 0 0 0.0.0.0:5807 0.0.0.0:* LISTEN 28971/Xvnc
tcp 0 0 0.0.0.0:5808 0.0.0.0:* LISTEN 29093/Xvnc
tcp 0 0 0.0.0.0:5809 0.0.0.0:* LISTEN 6434/Xvnc
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 28075/31
tcp 0 0 :::80 :::* LISTEN 20792/httpd
tcp 0 0 ::1:6012 :::* LISTEN 28075/31
[root@mrbu-devtest html]#
the httpd will not be there if the server is not running.
2- if suppose httpd is coming we can check if this service is running or not.
[root@mrbu-devtest ~]# /sbin/service httpd start
httpd: unrecognized service
[root@mrbu-devtest ~]#
Unrecognized service will come if httpd is not installed.
else the output will come like this
[root@mrbu-devtest ~]# /sbin/service httpd start
Starting httpd: [ OK ]
[root@mrbu-devtest ~]#
3- Let's install the server on linux.
if you've connectivity to internet just do this
[root@mrbu-devtest ~]# uname -a
Linux mrbu-devtest 2.6.9-42.7.ELsmp #1 SMP Tue Sep 5 18:29:39 EDT 2006 i686 i686
i386 GNU/Linux
[root@mrbu-devtest ~]#
[root@mrbu-devtest ~]# yum install httpd
Setting up Install Process
Setting up repositories
emergency-install 100% |=========================| 1.1 kB 00:00
psec-tools 100% |=========================| 951 B 00:00
engineering-install 100% |=========================| 1.1 kB 00:00
engineering-update 100% |=========================| 1.1 kB 00:00
desktop-install 100% |=========================| 1.1 kB 00:00
base 100% |=========================| 1.1 kB 00:00
desktop-update 100% |=========================| 1.1 kB 00:00
cisco-linux-common 100% |=========================| 1.1 kB 00:00
emergency-update 100% |=========================| 1.1 kB 00:00
cisco-linux-desktop 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
...
...
...
once this is done.
now we have to start the webservice
[root@mrbu-devtest ~]# /sbin/service httpd start
Starting httpd: [ OK ]
[root@mrbu-devtest ~]#
4- Add or edit a WebPage.
[root@mrbu-devtest httpd]# cd /var/www/html/
[root@mrbu-devtest html]# ls
[root@mrbu-devtest html]# vi index.html
[root@mrbu-devtest html]#
[root@mrbu-devtest html]# cat index.html
!!!Woo it's working !!!
[root@mrbu-devtest html]#
[root@mrbu-devtest html]# netstat -tunlp | grep 80
tcp 0 0 0.0.0.0:5801 0.0.0.0:* LISTEN 7042/Xvnc
tcp 0 0 0.0.0.0:5802 0.0.0.0:* LISTEN 28998/Xvnc
tcp 0 0 0.0.0.0:5803 0.0.0.0:* LISTEN 29895/Xvnc
tcp 0 0 0.0.0.0:5804 0.0.0.0:* LISTEN 1446/Xvnc
tcp 0 0 0.0.0.0:5805 0.0.0.0:* LISTEN 1572/Xvnc
tcp 0 0 0.0.0.0:5807 0.0.0.0:* LISTEN 28971/Xvnc
tcp 0 0 0.0.0.0:5808 0.0.0.0:* LISTEN 29093/Xvnc
tcp 0 0 0.0.0.0:5809 0.0.0.0:* LISTEN 6434/Xvnc
tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 28075/31
tcp 0 0 :::80 :::* LISTEN 20792/httpd
tcp 0 0 ::1:6012 :::* LISTEN 28075/31
[root@mrbu-devtest html]#
the httpd will not be there if the server is not running.
2- if suppose httpd is coming we can check if this service is running or not.
[root@mrbu-devtest ~]# /sbin/service httpd start
httpd: unrecognized service
[root@mrbu-devtest ~]#
Unrecognized service will come if httpd is not installed.
else the output will come like this
[root@mrbu-devtest ~]# /sbin/service httpd start
Starting httpd: [ OK ]
[root@mrbu-devtest ~]#
3- Let's install the server on linux.
if you've connectivity to internet just do this
[root@mrbu-devtest ~]# uname -a
Linux mrbu-devtest 2.6.9-42.7.ELsmp #1 SMP Tue Sep 5 18:29:39 EDT 2006 i686 i686
i386 GNU/Linux
[root@mrbu-devtest ~]#
[root@mrbu-devtest ~]# yum install httpd
Setting up Install Process
Setting up repositories
emergency-install 100% |=========================| 1.1 kB 00:00
psec-tools 100% |=========================| 951 B 00:00
engineering-install 100% |=========================| 1.1 kB 00:00
engineering-update 100% |=========================| 1.1 kB 00:00
desktop-install 100% |=========================| 1.1 kB 00:00
base 100% |=========================| 1.1 kB 00:00
desktop-update 100% |=========================| 1.1 kB 00:00
cisco-linux-common 100% |=========================| 1.1 kB 00:00
emergency-update 100% |=========================| 1.1 kB 00:00
cisco-linux-desktop 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
...
...
...
once this is done.
now we have to start the webservice
[root@mrbu-devtest ~]# /sbin/service httpd start
Starting httpd: [ OK ]
[root@mrbu-devtest ~]#
4- Add or edit a WebPage.
[root@mrbu-devtest httpd]# cd /var/www/html/
[root@mrbu-devtest html]# ls
[root@mrbu-devtest html]# vi index.html
[root@mrbu-devtest html]#
[root@mrbu-devtest html]# cat index.html
!!!Woo it's working !!!
[root@mrbu-devtest html]#
Subscribe to:
Posts (Atom)