Posted: February 24th, 2011 | Author: micha | Filed under: debian, it, juniper, linux, networking | Tags: debian, juniper, linux, network, security | No Comments »
finally got it working: building a bidirectional ipsec tunnel between a juniper ssg5 and openswan@debian, both sites got static ip adresses
openswan config:
conn juniper_ssg5_01
type=tunnel
authby=secret
auth=esp
pfs=yes
rekey=yes
auto=start
keylife=8h
keyingtries=0
keyexchange=ike
ike=aes256-sha1-modp2048
esp=aes256-sha1
# Linux openswan
leftid=1.1.1.1
left=1.1.1.1 # expernal ip
leftsubnet=10.1.10.0/24
leftsourceip=10.1.10.1
# SSG 5
rightid=2.2.2.2
right=2.2.2.2 # untrust interface
rightsubnet=192.168.10.0/24
juniper screenos config / route based config
set interface "tunnel.2" zone "Untrust"
set ike p1-proposal "g14-esp-aes256-sha" preshare group14 esp aes256 sha-1 second 28800
set ike p2-proposal "g14-esp-aes256-sha" group14 esp aes256 sha-1 second 3600
set ike gateway "Gateway for 10.1.10.0/24" address 1.1.1.1 Main local-id "2.2.2.2" outgoing-interface "ethernet0/0" preshare "mysecretpsk" proposal "g14-esp-aes256-sha"
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal udp-checksum
set ike gateway "Gateway for 10.1.10.0/24" nat-traversal keepalive-frequency 0
set ike accept-all-proposal
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "VPN for 10.1.10.0/24" gateway "Gateway for 10.1.10.0/24" replay tunnel idletime 0 proposal "g14-esp-aes256-sha"
set vpn "VPN for 10.1.10.0/24" id 0x3 bind interface tunnel.2
set vpn "VPN for 10.1.10.0/24" proxy-id local-ip 192.168.10.0/24 remote-ip 10.1.10.0/24 "ANY"
set policy id 34 from "Trust" to "Untrust" "Any" "10.1.10.0/24" "ANY" permit log count
Posted: February 6th, 2011 | Author: micha | Filed under: debian, it, linux | Tags: debian, linux | No Comments »
say hello to squeeze – time to go wheezy !
Posted: January 29th, 2011 | Author: micha | Filed under: database, debian, it, linux, other, windows | Tags: database, debian, windows | 1 Comment »
working on a system to sync userdata from mysql to openldap *and* active directory. goal is to have synchronised systems (openldap/ad) and a webbased management – YEAH ! right now i`m playing with http://lsc-project.org/ – thx to the lsc irc – channel !
Posted: January 29th, 2011 | Author: micha | Filed under: debian, it, linux, other | Tags: debian, linux | No Comments »
must do this to migrate mailboxes from exchange2k3 to exchange2010
i prefer postfix to do mta stuff but here we got exim4 …
the transport still exists (remote_smtp > 30_exim4-config_remote_smtp)
router:
special_routes:
driver = manualroute
domains = ! +local_domains
transport = remote_smtp
host_find_failed = defer
same_domain_copy_routing = yes
route_data = ${lookup{$domain}lsearch{/etc/exim4/routes}}
/etc/exim4/routes :
email@dumb.com: newmailserver.com
dumb.com: oldmailserver.com
Posted: January 24th, 2011 | Author: micha | Filed under: debian, it, linux, networking | Tags: debian, linux, security | No Comments »
installed snort-mysql / acidbase on debian testing and did a base configuration in 5 minutes; after installing the necassary sql files, i only had to uncomment one line in the snort configfile, set the subnet to scan, define the nic – done. always really impressive what you can do/see with this piece of free software after 10 minutes. also installed a openvas server – it seems like there is no windows client out there. nice so see that the cain & abel toolkit is still under development. i need these systems for a demo / lecture on wednesday …
edit: the openvas-client using macports under os x works pretty good.
Posted: January 12th, 2011 | Author: micha | Filed under: debian, it, linux | Tags: debian, hp, linux, uptime | No Comments »
workstation @ work:
14:47:36 up 113 days, 2:50, 12 users, load average: 0.29, 0.10, 0.03
Intel(R) Core(TM)2 Quad CPU Q9400 @ 2.66GHz
nVidia Corporation G86 [Quadro NVS 290] (rev a1)
Intel Corporation 4 Series Chipset PCI Express
Intel Corporation 82567LM-3 Gigabit Network Connection (rev 02)
MemTotal: 8128484 kB
HDD WDC WD3000HLFS-01G6U1
Linux metrox 2.6.32-5-amd64 #1 SMP Fri Sep 17 21:50:19 UTC 2010 x86_64 GNU/Linux Debian testing
Posted: January 12th, 2011 | Author: micha | Filed under: debian, ibm, it, linux, virtualization | Tags: debian, ibm, linux, vmware | No Comments »
i`m planning a new virtualization structure for a customer. this time based on three ibm x3650 m3 machines; one machine as iSCSI target, the other two machines with vmware ESXi 4.1, for sure it will be real fun to configure one x3650 m3 as a iSCSI target – hoping debian stable will install clean without patching the kernel for raid modules or something …. 🙂
Posted: December 12th, 2010 | Author: micha | Filed under: centos, debian, it, linux | Tags: centos, debian, linux | No Comments »
centos go home ….