Vyatta 6.3 HVM to PV conversion

Posted: 21st February 2012 by raph in Uncategorized
Comments Off on Vyatta 6.3 HVM to PV conversion

Since vyatta doesnt offer a download link to a PV image anymore, we need to convert the machine from HVM to PV manually, here are the step in order to achieve that:

1. Install vyatta from the vyatta-livecd-virt_VC6.3-2011.07.21_i386.iso image, image or system based images work, make sure to prepare the system for PV conversion at the end of the installation

2. Reboot and mount the xenserver iso from the CLI:

sudo mount /dev/disk/by-label/XenServer\\x20Tools /mnt

sudo /mnt/Linux/install.sh

3. Reboot and go to the Xenserver host console

xe vm-list power-state=halted (get the uuid for vyatta VM)
xe vm-param-set uuid=<Vyatta UUID> HVM-boot-policy=
xe vm-param-set uuid=<Vyatta UUID> PV-bootloader=pygrub
xe vm-disk-list uuid=<Vyatta UUID> (copy VBD disk UUID)
xe vbd-param-set uuid=<VBD UUID> bootable=true

Enjoy!

I have been looking on the internet for a sample configuration of a redundant site-to-site ipsec tunnel with multiple links but haven’t been able to find anything straightforward, the command here are for a Cisco ASA 5510 running IOS 8.3 and a Cisco ASA 5505 running the same version, here is short explanations of the networks i will be using before we get started:

 

192.168.1.0: internal network of the ASA 5510

192.168.2.0: internal network of the ASA 5505

10.0.1.0: Your first internet provider assigned network (connected ASA5510 outside-1)

10.0.2.0: Your second internet provider assigned network (connected to the ASA5510 outside-2)

172.168.1.0: Your third internet provider assigned network (connected to the ASA5505 outside)

 

Now let’s get to it!

First off configure your interfaces on the 5510:

interface Ethernet0/0

nameif inside

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/1

nameif outside-1

ip address 10.0.1.2 255.255.255.0

interface Ethernet0/2

ip address 10.0.2.2 255.255.255.0

nameif outside-2

 

Create the objects that will prevent the traffic from being nated:

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside-1) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

nat (inside,outside-2) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0

 

Now create the access list that will tag interesting vpn traffic:

access-list outside_cryptomap0 extended ip permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

 

Create the security policies:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp identity address

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp

policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

 

Create the tunnel group (Phase 1 association):

tunnel-group 172.16.1.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

 

Create the cryptomaps (one per interface):

crypto map outside-1_map0 1 match address outside_cryptomap0
crypto map outside-1_map0 1 set peer 172.16.1.2
crypto map outside-1_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside-2_map0 2 match address outside_cryptomap0
crypto map outside-2_map0 2 set peer 172.16.1.2
crypto map outside-2_map0 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

 

Map the cryptomaps to the interfaces and enable isakmp on the interfaces:

crypto map outside-1_map0 interface outside-1

crypto map outside-2_map0 interface outside-2

crypto isakmp enable outside-1

crypto isakmp enable outside-2
Before we go ahead and configure the routing table lets configure the sla monitor and tracking object

sla monitor 1

type echo protocol ipIcmpEcho 10.0.1.1 interface outside-1

num-packets 2

frequency 10

sla monitor schedule 1 life forever start-time now

 

Now lets configure the routes:

route outside-1 0 0 10.0.1.1 1 track 1

route outside-1 172.16.1.0 255.255.255.0 10.0.1.1 1 track 1

route outside-1 192.168.2.0 255.255.255.0 172.16.1.2 1

route outside-2 0 0 10.0.1.2 2

route outside-2 172.16.1.0 255.255.255.0 10.0.1.2 2

 

Now lets configure the ASA 5505 ,first, the interfaces:

interface vlan 1

nameif inside

ip address 192.168.2.1 255.255.255.0

interface vlan 2

nameif outside

ip address 172.16.1.2 255.255.255.0

interface Ethernet0

switchport mode access

switchport access vlan 1

interface Ethernet1

switchport mode access

switchport access vlan 2

 

Create the objects that will prevent the traffic from being nated:

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

nat (inside,outside-1) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0

 

Create the access list:

access-list outside_cryptomap0 extended ip permit 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

 

Create the security policies:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp identity address

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp

policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

Create the tunnel groups (one for each remote internet connections):

tunnel-group 10.0.1.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

tunnel-group 10.0.2.2 ipsec-attributes

pre-shared-key abc123

peer-id-validate nocheck

 

Create the dynamic cryptomap:

crypto dynamic-map outside_map0 1 match address outside_cryptomap0

crypto dynamic-map outside_map0 1 set transform-set ESP-AES-128-SHA ES P-AES-128-MD5 ESP

AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ES P-3DES-SHA ESP-3DES-MD5

ESP-DES-SHA ESP-DES-MD5

 

Map the dynamic cryptomap to a cryptomap:

crypto map outside_map 1 ipsec-isakmp dynamic outside_map0
Map the cryptomap to the interfaces and enable isakmp on the interfaces:

crypto map outside_map interface outside

crypto isakmp enable outside

 

Configure the sla monitor and tracking object:

sla monitor 1

type echo protocol ipIcmpEcho 172.16.1.1 interface outside

num-packets 2

frequency 10

sla monitor schedule 1 life forever start-time now

 

Configure the routes:

route outside 192.168.1.0 255.255.255.0 10.0.1.2 1 track 1

route outside 192.168.1.0 255.255.255.0 10.1.2.2 2

route outside 0 0 172.16.1.1 1

Dont forget to source pings from an external device connect to an inside port or with the command ping inside X.X.X.X after enabling management access with the command management-access inside

Have fun

Stackoverflow

StackExchange Programmers

Quora

Must have Mac OS X Apps

Posted: 2nd March 2011 by raph in Mac OS X

Here is a list of useful Mac OS X applications, i will try to keep this list updated:

Perian: Videos codecs for Quicktime

Dropbox: Sync and share files on the internet

Flip4mac: Play WMV video inside Quicktime

Adium: Multi-protocol instant messenger

GPGTools: Encryption tools for Mac OS X

Wunderlist: Manage and share todo lists

Freemind: Create and edit mindmaps

Transmission: Download bittorrent files

AppCleaner: Remove files left behind after deleting applications

AppFresh: Keep your applications up to date

OnyX: Maintenance and optimization tool

Skype: Voice and video conferencing over the internet

Teamviewer: Easily share your desktop for remote access over the internet

Virtualbox: Run Windows and other operating system inside your Mac without rebooting

VLC: Read almost any media file

Handbrake: Convert DVDs to media files

OpenOffice: Text, spreadsheet and poresentation editor

Evom: Convert media files to iTunes format

The Unarchiver: Extract files from any archive format

SousChef: Manage recipes and grocery lists

Skim: Easily annotate PDFs

Xbench: Benchmark utility for your Mac

jDownloader: Easily queue file transfer from popular download services

Winebottler: Create Wine bottles to emulate Windows apps inside Mac OS X

 

The paid apps:

Pixelmator: Powerfull image editor ($59.99)

1Password: Store all your password in one location ($39.95)

Rivet: Share media with your Xbox 360 and PS3 ($19.95)

Data Rescue: Recover data from failed hard drives ($99)

Dropbox on Mac OS X Lion

Posted: 2nd March 2011 by raph in Mac OS X

While the good folks at dropbox prepare a lion compatible release for us you can run the current version of dropbox by issuing those terminal commands before running dropbox for the time after installing:

sudo rm -rf /Library/DropboxHelperTools
rm /Applications/Dropbox.app/Contents/Resources/DropboxHelperInstaller.tgz
defaults write /Applications/Dropbox.app/Contents/Info CFBundleVersion 2.0