Sunday, 7 December 2008

A huge collection of cisco IOS

http://rapidshare.com/files/161462239/QoS_642-642_Pass4sure.rar

http://rapidshare.com/files/163377890/c1811-advipservicesk9-mz.124-11.T3.bin

http://rapidshare.com/files/163379681/c1841-advsecurityk9-mz.124-12c.bin

http://rapidshare.com/files/163381550/c2600-ipvoice-mz.124-12c.bin

tp://rapidshare.com/files/163381718/c2900XL-c3h2s-mz-120.5-XU.bin

http://rapidshare.com/files/163381985/c2900xl-c3h2s-tar.120-5.WC7_1_.zip

http://rapidshare.com/files/163382259/c2900xl-c3h2s-tar.120-5.WC7.zip

http://rapidshare.com/files/163382412/c2950-c3h2s-mz.120-5.3.WC.1.bin

http://rapidshare.com/files/163382757/c2950-i6k2l2q4-mz.121-22.EA8a.bin

http://rapidshare.com/files/163382956/c2950-i6q4l2-mz.121-6.EA2b.bin

http://rapidshare.com/files/163383152/c2950-i6q4l2-mz.121-6.EA2c.bin

http://rapidshare.com/files/163383362/c2950-i6q4l2-mz.121-9.EA1.bin

http://rapidshare.com/files/163383581/c2950-i6q4l2-mz.121-9.EA1d.bin

http://rapidshare.com/files/163383841/c2950-i6q4l2-mz.121-22.EA1.bin

http://rapidshare.com/files/163384178/c2950-i6q4l2-mz.121-22.EA10.bin

http://rapidshare.com/files/163384503/c2950-i6q4l2-tar.121-9.EA1.zip

http://rapidshare.com/files/163384960/c1200-k9w7-tar.123-8.JEB.tar

http://rapidshare.com/files/163386202/c1700-advsecurityk9-mz.124-12c.bin

http://rapidshare.com/files/163387577/c1700-k9o3sy7-mz.124-12c.bin

http://rapidshare.com/files/163397377/c3500xl-c3h2s-tar.120-5.WC15.tar

http://rapidshare.com/files/163398347/c3550_ipservices_mz.122_25.sec.bin

http://rapidshare.com/files/163399038/c3550-i5k2l2q3-mz.121-19.ea1a.bin

http://rapidshare.com/files/163399807/c3550-i5k2l2q3-mz.121-22.ea1.bin

http://rapidshare.com/files/163400634/c3550-i5k2l2q3-tar.121-11.EA1.zip

http://rapidshare.com/files/163401269/c3550-i5q3l2-mz.121-13.ea1.bin

http://rapidshare.com/files/163401945/c3550-i5q3l2-mz.121-14.ea1a.bin

http://rapidshare.com/files/163402647/c3550-i5q3l2-mz.121-20.ea1.bin

http://rapidshare.com/files/163733891/c3550-ipservicesk9-mz.122-25.sed.bin

http://rapidshare.com/files/163734664/c3550-i9q3l2-mz.122-25.se.bin

http://rapidshare.com/files/163735741/c3550-ipservicesk9-mz.122-25.seb1.bin

http://rapidshare.com/files/163736805/c3550-ipservicesk9-mz.122-25.seb4.bin

http://rapidshare.com/files/163737955/c3550-ipservicesk9-mz.122-25.sec2.bin

http://rapidshare.com/files/163739263/c3550-ipservicesk9-mz.122-25.SEE4.bin

http://rapidshare.com/files/163740895/c3550-ipservicesk9-mz.122-44.SE.bin

http://rapidshare.com/files/163749876/c3560-advipservicesk9-mz.122-37.SE.bin

http://rapidshare.com/files/163751521/c3560-advipservicesk9-mz.122-40.SE.bin

http://rapidshare.com/files/163753188/c3560-advipservicesk9-mz.122-44.SE.bin

http://rapidshare.com/files/163754306/c3550-ipservicesk9-mz_122-25_sed.bin

http://rapidshare.com/files/163755297/c3550-ipservices-mz.122-25.seb4.bin

http://rapidshare.com/files/163756587/c3560-advipservicesk9-mz.122-25.SEE4.bin

http://rapidshare.com/files/163767500/c3620-ik9s-mz.122-7b.bin

http://rapidshare.com/files/163771366/c3620-ik9s-mz.122-40a.bin

http://rapidshare.com/files/163773229/c3620-i-mz.121-5.T10.bin

http://rapidshare.com/files/163774867/c3620-do3s-mz.122-2.T.bin

http://rapidshare.com/files/163777635/c3620-ik2s-mz.121-27b.bin

http://rapidshare.com/files/163782755/c3660-is56i-mz.120-7.XK.bin

http://rapidshare.com/files/163784993/c3660-is-mz.121-6.bin

http://rapidshare.com/files/163787171/c3660-is-mz.121-27b.bin

http://rapidshare.com/files/163790774/c3660-is-mz.122-46a.bin

http://rapidshare.com/files/163791077/c3660-is-mz.123-5a.bin

http://rapidshare.com/files/163798106/c3660-is-mz.123-11.T2.bin

http://rapidshare.com/files/163804254/c3660-is-mz.123-23.bin

http://rapidshare.com/files/163810870/C3660-Jk9S-Mz_123-3.bin

http://rapidshare.com/files/163814044/c3660-jo3s56i-mz.120-7.XK1.bin

http://rapidshare.com/files/164136286/c7200-is-mz.123-14.T1.bin
http://rapidshare.com/files/164139043/c7200-is-mz.123-22.bin
http://rapidshare.com/files/164142437/c7200-is-mz.124-1c.bin
http://rapidshare.com/files/164146304/c7200-is-mz.124-13b.bin
http://rapidshare.com/files/164149892/c7200-is-mz.19991126
http://rapidshare.com/files/164152475/c7200-ik2s-mz.121-27b.bin
http://rapidshare.com/files/164157302/c7200-ik8s-mz.122-15.T17.bin
http://rapidshare.com/files/164160711/c7200-ik9o3s-mz.122-40a.bin
http://rapidshare.com/files/164165626/c7200-ik9o3s-mz.123-1a.bin
http://rapidshare.com/files/164170367/c7200-ik9o3s-mz.123-20.bin
http://rapidshare.com/files/164174828/c7200-ik9o3s-mz.123-22.bin
http://rapidshare.com/files/164180158/c7200-ik9o3s-mz.124-3.bin
http://rapidshare.com/files/166057805/c7200-advipservicesk9-mz.124-2.T.bin
http://rapidshare.com/files/166058498/c7200-boot-mz.120-10.S
http://rapidshare.com/files/166059211/c7200-boot-mz.120-16.S
http://rapidshare.com/files/166064238/c7200-h1is-mz.123-14.YX.bin
http://rapidshare.com/files/166066522/c7200-ik2s-mz.121-27b.bin
http://rapidshare.com/files/166070439/c7200-ik8s-mz.122-15.T17.bin
http://rapidshare.com/files/166083627/c7200-ik9s-mz.124-13b.bin
http://rapidshare.com/files/166087902/c7200-ik91s-mz.122-31.SB3.bin
http://rapidshare.com/files/166091484/c7200-io3s-mz.122-15.T13.bin
http://rapidshare.com/files/166093316/c7200-is-mz.121-27b.bin
http://rapidshare.com/files/166096172/c7200-is-mz.122-11.T6.bin
http://rapidshare.com/files/166099304/c7200-is-mz.122-13.T.bin
http://rapidshare.com/files/166101754/c7200-ik9o3s-mz.122-40a.bin
http://rapidshare.com/files/166105496/c7200-ik9o3s-mz.123-1a.bin
http://rapidshare.com/files/166109075/c7200-ik9o3s-mz.123-20.bin
http://rapidshare.com/files/166112746/c7200-ik9o3s-mz.123-22.bin
http://rapidshare.com/files/166117018/c7200-ik9o3s-mz.124-3.bin
http://rapidshare.com/files/166121979/c7200-ik9o3s-mz.124-18.bin
http://rapidshare.com/files/166124035/c7200-ik9s-mz.122-40a.bin
http://rapidshare.com/files/166127132/c7200-ik9s-mz.123-10.bin
http://rapidshare.com/files/166136822/c7200-is-mz.122-40a.bin
http://rapidshare.com/files/166139321/c7200-is-mz.123-1a.bin
http://rapidshare.com/files/166141878/c7200-is-mz.123-3.bin
http://rapidshare.com/files/166144390/c7200-is-mz.123-3g.bin
http://rapidshare.com/files/166146690/c7200-is-mz.123-6a.bin
http://rapidshare.com/files/166149706/c7200-is-mz.123-14.T1.bin
http://rapidshare.com/files/166152121/c7200-is-mz.123-22.bin
http://rapidshare.com/files/168201766/c3640-is-mz.123-6.bin
http://rapidshare.com/files/168209570/c3640-is-mz.123-8.T_96_32_Plus.bin
http://rapidshare.com/files/168220614/c3640-is-mz.124-16.bin
http://rapidshare.com/files/168223515/c3640-is-mz_120-7_t.bin
http://rapidshare.com/files/168230016/C3640-Is-Mz_123-6.bin
http://rapidshare.com/files/168231808/c3640-ix-mz.122-6a.bin
http://rapidshare.com/files/168235959/c3640-ix-mz.123-12a.bin
http://rapidshare.com/files/168242381/c3640-jk8o3s-mz.122-26.bin
http://rapidshare.com/files/168253563/c3640-jk9o3s-mz-123-8T3.bin
http://rapidshare.com/files/168262821/c3640-jk9o3s-mz.122-15.T9.bin
http://rapidshare.com/files/168269642/c3640-jk9o3s-mz.122-26.bin
http://rapidshare.com/files/168279317/c3640-jk9o3s-mz.123-10.bin
http://rapidshare.com/files/168292431/c3640-jk9o3s-mz.123-14.T2.bin
http://rapidshare.com/files/168305135/c3640-jk9o3s-mz.123-14.T3.bin
http://rapidshare.com/files/168318084/c3640-jk9o3s-mz.123-14.T7.bin
http://rapidshare.com/files/168329843/c3640-jk9o3s-mz.123-8.T3.bin
http://rapidshare.com/files/168341146/C3640-Jk9o3S-Mz_123-8_t3.bin
http://rapidshare.com/files/168349003/c3640-is-mz.122-15.T8.bin
http://rapidshare.com/files/168354343/c3640-is-mz.122-46a.bin
http://rapidshare.com/files/168362415/c3640-is-mz.123-10.bin
http://rapidshare.com/files/168370184/c3640-is-mz.123-1a.bin
http://rapidshare.com/files/168378647/c3640-is-mz.123-23.bin
http://rapidshare.com/files/168382163/X-Lite_Win32_1011s_41150.exe
http://rapidshare.com/files/170445957/asdm-521.bin
http://rapidshare.com/files/170446766/asdm-603.bin
http://rapidshare.com/files/170450033/asa803-k8.bin
http://rapidshare.com/files/170458021/asa803-k8.bin
http://rapidshare.com/files/170459541/asdm-512.bin
http://rapidshare.com/files/170460735/asdm-521.bin
http://rapidshare.com/files/170466499/BOOTIMG.BIN
http://rapidshare.com/files/170466500/BOOTIMG.BIN
http://rapidshare.com/files/170897267/c6ace-t1k9-mz.3.0.0_A1_4.bin
http://rapidshare.com/files/170897298/c6k222-jk9sv-mz.122-14.SY3.bin
http://rapidshare.com/files/170897662/c6msfc2-boot-mz.121-8a.EX
http://rapidshare.com/files/170897717/c6msfc2-boot-mz.121-19.E1.bin
http://rapidshare.com/files/170900193/c6msfc2-dsv-mz.121-11b.E4.bin
http://rapidshare.com/files/170900512/c6msfc2-psv-mz.121-19.E1.bin
http://rapidshare.com/files/170903630/c2800nm_ipbasek9_mz.124_3.bin
http://rapidshare.com/files/170915450/c2800nm-advsecurityk9-mz.124-5.bin
http://rapidshare.com/files/170920479/c2800nm-advsecurityk9-mz.124-9.t1.bin
http://rapidshare.com/files/170924238/c2800nm-ipbasek9-mz.124-12.bin
http://rapidshare.com/files/170930149/c2800nm-ipvoice-mz.124-4.t1.bin
http://rapidshare.com/files/170936642/c2801-advipservicesk9-mz.124-16.bin
http://rapidshare.com/files/170940136/c2801-ipvoice_ivs-mz.124-11.T1.bin
http://rapidshare.com/files/170944704/c2800nm-adventerprisek9_ivs-mz.124-4.t1.bin
http://rapidshare.com/files/170948772/c2800nm-adventerprisek9_ivs-mz.124-5a.bin
http://rapidshare.com/files/170953831/c2800nm-adventerprisek9_ivs-mz.124-9.t.bin
http://rapidshare.com/files/170957920/c2800nm-adventerprisek9-mz.124-5a.bin
http://rapidshare.com/files/170962327/c2800nm-adventerprisek9-mz.124-6.t.bin
http://rapidshare.com/files/170967010/c2800nm-adventerprisek9-mz.124-9.t.bin
http://rapidshare.com/files/170970418/c2800nm-adventerprisek9-mz.124-11.t.bin
http://rapidshare.com/files/170972932/c2800nm-advipservicesk9-mz.124-12.bin
http://rapidshare.com/files/170974109/c7200-ik2s-mz.121-27b.bin
http://rapidshare.com/files/170977940/c7200-ik9o3s-mz.124-18.bin
http://rapidshare.com/files/170979511/c7200-ik9s-mz.122-40a.bin
http://rapidshare.com/files/174882539/c7200-h1is-mz.123-14.YX.bin
http://rapidshare.com/files/174884562/c7200-ik2s-mz.121-27b.bin
http://rapidshare.com/files/174891237/c7200-ik9o3s-mz.124-18.bin
http://rapidshare.com/files/174894195/c7200-ik9s-mz.122-40a.bin
http://rapidshare.com/files/174898589/c7200-ik9s-mz.123-10.bin
http://rapidshare.com/files/174905966/c7200-ik9s-mz.124-13b.bin
http://rapidshare.com/files/174909924/c7200-io3s-mz.122-15.T13.bin
http://rapidshare.com/files/174911779/c7200-is-mz.121-27b.bin
http://rapidshare.com/files/174914947/c7200-is-mz.122-11.T6.bin
http://rapidshare.com/files/174918371/c7200-is-mz.122-13.T.bin
http://rapidshare.com/files/174923189/c2801-ipvoicek9-mz.124-5b.bin
http://rapidshare.com/files/174929123/c7200-advipservicesk9-mz.124-2.T.bin
http://rapidshare.com/files/174929926/c7200-boot-mz.120-10.S
http://rapidshare.com/files/174930654/c7200-boot-mz.120-16.S
http://rapidshare.com/files/174935378/c7200-jk9o3s-mz.122-28.bin
http://rapidshare.com/files/174940705/c7200-jk9o3s-mz.123-8.T.bin
http://rapidshare.com/files/174946771/c7200-jk9o3s-mz.124-8.bin
http://rapidshare.com/files/174949587/c7200-is-mz.122-40a.bin
http://rapidshare.com/files/174953286/c7200-is-mz.123-1a.bin
http://rapidshare.com/files/174956914/c7200-is-mz.123-3.bin
http://rapidshare.com/files/174960472/c7200-is-mz.123-3g.bin
http://rapidshare.com/files/174964027/c7200-is-mz.123-6a.bin
http://rapidshare.com/files/174969031/c7200-is-mz.123-14.T1.bin
http://rapidshare.com/files/174971639/c7200-is-mz.123-22.bin
http://rapidshare.com/files/174977466/c7200-is-mz.124-1c.bin
http://rapidshare.com/files/174998235/c7200-is-mz.124-13b.bin
http://rapidshare.com/files/175004237/c7200-is-mz.19991126
http://rapidshare.com/files/175014410/c7200-jk8o3s-mz.122-17a.bin




Login here for more: http://rapidshare.com/users/8ZVSZJ

Wednesday, 26 November 2008

Turbocharge PuTTY with 12 Powerful Add-Ons - Software for Geeks

PuTTY is hands-down the best, free, and lightweight SSH client for Windows. I have provided list of 12 powerful PuTTY add-ons with screenshots, that will solve few shortcomings of the original PuTTY. Play around with these add-ons and choose the one that suites your need.

1. PuTTY Connection Manager

PuTTYCM gives a nice feature to arrange several PuTTY sessions in tabs . While starting PuTTYCM for the first time, you should specify the location of the original PuTTY. This requires .NET 2.0 to be installed on the windows system. Following screen-shot displays three putty sessions in tabs within the same window.

Note: If the PuTTY Connection Manager opens the original PuTTY in a separate window, instead of opening as a TAB, please go to Tools -> Options -> Select the check-box “Enable additional timing for PuTTY capture (ms)” -> set the value to 300 ms. This will open the PuTTY window inside the TAB as shown below.

PuTTY Connection Manager - Multiple Tab
Fig - PuTTY Connection Manager with multiple Tabs

2. PuTTYcyg

Cygwin users will absolutely love PuTTYcyg. This lets you use PuTTY as a local cygwin terminal. If you use cygwin on your windows, I’m sure you’ll hate the default MS-DOS looking cygwin window. Using PuTTYcyg, you can run cygwin inside PuTTY. I love this add-on and use it for my cygwin on Windows.

On PuTTYcyg, click on cygterm radio button in the Connection type. Enter - (hyphen) in the “Command (use - for login shell“, to connect to the cygwin on the windows laptop using PuTTY as shown below.

PuTTYcyg Cygterm radio-button
Fig - PuTTYcyg with Cygterm option

3. PuTTYtray

Using PuTTYtray, you can minimize the PuTTY window to the system tray on windows. By default, original PuTTY stores the session information in the registry. This is painful, when you want to transfer PuTTY sessions from one laptop to another. In PuTTYtray, there is an additional radio button “Sessions from file” as shown below, that will let you store session information in a file.

PuTTYtray
Fig - PuTTYtray with “Session from file” option

4. PuttyTabs

PuttyTabs provides a floating bar, that will display the open PuTTY sessions in TABs. Clicking on one of the tabs will bring the respective PuTTY session to the foreground. While starting PuTTYTabs for the first time, you should specify location of the original PuTTY. It reads the windows registry to get all the available PuTTY sessions. This also requires .NET 2.0 to be installed on the windows system. Following screen-shot displays three putty sessions arranged in tab.

PuTTYTabs Screenshot
Fig - PuTTYTabs with multiple Tabs

5. Quest PuTTY

Quest Software modified the PuTTY to add Active Directory (GSSAPI Kerberos) single sign-on feature. Quest PuTTY uses Microsoft’s Security Service Provider Interface (SSPI), which is Microsoft’s version of the GSSAPI, with which it is wire compatible. This version of PuTTY adds a new menu-item called GSSAPI, under Connection -> SSH, as shown below.

Quest PuTTY with GSSAPI
Fig - Quest PuTTY with GSSAPI option

6. Modified PuTTY

This modified PuTTY stores the PuTTY sessions in folder instead of storing it in the registry. If you already have sessions stored in the registry, it will display those also. The sessions stored in registry will be marked as [registry] as shown below. When you create a session using this PuTTY, this creates a sub-folder called session in the same folder where putty.exe is located, to store all the sessions in the file.

Modified Putty
Fig - Modified Putty displaying both registry and file sessions

7. PocketPuTTY

PocketPuTTY runs on Windows Mobile 2003/5.0 operating system. After I got my blackberry, I have dumped my Dell Axim that was running on Windows Mobile. So, I have not tried PocketPuTTY myself. If you’ve used PocketPuTTY or other mobile version of PuTTY, please leave your feedback.

PocketPuTTY UI
Fig - PocketPuTTY for Windows Mobile

8. portaPuTTY

portaPuTTY is a modified version of the PuTTY that stores the session information in a file by default, instead of storing it in the windows registry. The session files are stored under .putty/sessions folder. The .putty folder is created under the same directory where the putty.exe is located.

9. PuTTY Portable

PuTTY Portable is part of PortableApps suite. Use this to launch PuTTY from the USB drive and carry the sessions along with you.

10. PuTTY Launchy Plugin

If you are using Launchy, the open source keystroke launcher for windows, you can use Putty Launchy Plugin, to launch putty sessions from Launchy very easily. i.e you can type “ssh” or “putty” followed by tab or space to list all of your PuTTY sessions. Once you select a particular session, Launchy will automatically launch that particular PuTTY session.

PuTTY Launchy Plugin
Fig - PuTTY Launchy Plugin. Type ssh followed by tab.

11. PuTTY Session Manager

PuTTY Session Manager will let you organize the PuTTY sessions into folders and assign hotkeys. This requires Microsoft .NET 2.0. Right click on the PSM icon in the system track and select “Session Hotkeys” to assign hot-keys for PuTTY session as shown below.

PuTTY Session Manager Hot Key Assignment
Fig - PuTTY Session Manager with session hot-key

To create a folder, right click on a particular PuTTY session -> Session Management -> New Folder. To move a existing session to a folder, just drag the session and drop to the corresponding folder.

PSM Session List with folders
Fig - PuTTY Session Manager with sessions inside sub-folder

12. PuTTY Command Sender

PuTTYCS is very helpful little tool that can boost your productivity by eliminating repetitive tasks performed on different servers. Using PuTTYCS, you can send a unix command to multiple PuTTY windows at the same time. You can use this to backup files, view log files, start and stop processes, copying file etc., on multiple servers, just by executing the command once, as shown below.

PuTTY Command Sender
Fig - PuTTYCS sends unix command to multiple PuTTY session

How To Monitor VPN Active Sessions and Temperature Using Nagios

In this article, let us review how to monitor active sessions and temperature of VPN device using Nagios. You can monitor pretty much anything about a hardware using the nagios check_snmp plug-in.

1. Identify a cfg file to define host, hostgroup and services for VPN device

You can either create a new vpn.cfg file or re-use one of the existing .cfg file. In this article, I’ve added the VPN service and hostgroup definition to an existing switch.cfg file. Make sure the switch.cfg line in nagios.cfg file is not commented as shown below.

# grep switch.cfg /usr/local/nagios/etc/nagios.cfg

cfg_file=/usr/local/nagios/etc/objects/switch.cfg

2. Add new hostgroup for VPN device in switch.cfg

Add the following ciscovpn hostgroup to the /usr/local/nagios/etc/objects/switch.cfg file.

define hostgroup{

hostgroup_name ciscovpn
alias Cisco VPN Concentrator
}

3. Add new host for VPN device in switch.cfg

In this example, I’ve defined two hosts–one for primary and another for secondary Cisco VPN concentrator in the /usr/local/nagios/etc/objects/switch.cfg file. Change the address directive to your VPN device ip-address accordingly.

define host{

use generic-host
host_name cisco-vpn-primary
alias Cisco VPN Concentrator Primary
address 192.168.1.7
check_command check-host-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
contact_groups admins
hostgroups ciscovpn
}

define host{
use generic-host
host_name cisco-vpn-secondary
alias Cisco VPN Concentrator Secondary
address 192.168.1.9
check_command check-host-alive
max_check_attempts 10
notification_interval 120
notification_period 24x7
notification_options d,r
contact_groups admins
hostgroups ciscovpn
}

4. Add new services to monitor VPN active sessions and temperature in switch.cfg

Add the “Temperature” service and “Active VPN Sessions” service to the /usr/local/nagios/etc/objects/switch.cfg file.

define service{

use generic-service
hostgroup_name ciscovpn
service_description Temperature
is_volatile 0
check_period 24x7
max_check_attempts 4
normal_check_interval 10
retry_check_interval 2
contact_groups admins
notification_interval 960
notification_period 24x7
check_command check_snmp!-l Temperature -o .1.3.6.1.4.1.3076.2.1.2.22.1.29.0,.1.3.6.1.4.1.3076.2.1.2.22.1.33.0 -w 37,:40 -c :40,:45
}

define service{
use generic-service
hostgroup_name ciscovpn
service_description Active VPN Sessions
is_volatile 0
check_period 24x7
max_check_attempts 4
normal_check_interval 5
retry_check_interval 1
contact_groups admins
notification_interval 960
notification_period 24x7
check_command check_snmp!-l ActiveSessions -o 1.3.6.1.4.1.3076.2.1.2.17.1.7.0,1.3.6.1.4.1.3076.2.1.2.17.1.9.0 -w :70,:8 -c :75,:10
}

5. Validate the check_snmp from command line

Check_snmp plug-in uses the ’snmpget’ command from the NET-SNMP package. Make sure the net-snmp is installed on your system as shown below. If not, download it from NET-SNMP website.

# rpm -qa | grep -i net-snmp

net-snmp-libs-5.1.2-11.el4_6.11.2
net-snmp-5.1.2-11.el4_6.11.2
net-snmp-utils-5.1.2-11.EL4.10

Make sure the check_snmp works from command line as shown below.

# /usr/local/nagios/libexec/check_snmp -H 192.168.1.7 \

-P 2c -l Temperature -w :35,:40 -c :40,:45 \
-o .1.3.6.1.4.1.3076.2.1.2.22.1.29.0,.1.3.6.1.4.1.3076.2.1.2.22.1.33.0

Temperature OK - 35 38 | iso.3.6.1.4.1.3076.2.1.2.22.1.29.0=35
iso.3.6.1.4.1.3076.2.1.2.22.1.33.0=38

# /usr/local/nagios/libexec/check_snmp -H 192.168.1.7 \
-P 2c -l ActiveSessions -w :80,:40 -c :100,:50 \
-o 1.3.6.1.4.1.3076.2.1.2.17.1.7.0,1.3.6.1.4.1.3076.2.1.2.17.1.9.0

ActiveSessions CRITICAL - *110* 20 | iso.3.6.1.4.1.3076.2.1.2.17.1.7.0=110
iso.3.6.1.4.1.3076.2.1.2.17.1.9.0=20

In this example, following parameters are passed to the check_snmp:

  • -H, –hostname=ADDRESS Host name, IP Address, or unix socket (must be an absolute path)
  • -P, –protocol=[1|2c|3] SNMP protocol version
  • -l, –label=STRING Prefix label for output from plugin. i.e Temerature or ActiveSessions
  • -w, –warning=INTEGER_RANGE(s) Range(s) which will not result in a WARNING status
  • -c, –critical=INTEGER_RANGE(s) Range(s) which will not result in a CRITICAL status
  • -o, –oid=OID(s) Object identifier(s) or SNMP variables whose value you wish to query. Make sure to refer to the manual of your device to see all the supported and available oid’s for your equipment. If you have more than two oid’s, separate them with comma.

In the ActiveSessions example, two OID’s are getting monitored. i.e one for VPN LAN-2-LAN tunnels (iso.3.6.1.4.1.3076.2.1.2.17.1.7.0) and another for PPTP sessions (iso.3.6.1.4.1.3076.2.1.2.17.1.9.0). In the above example, VPN LAN-2-LAN active sessions has exceeded the critical limit of 100.

Object Identifier (OID) is arranged in a hierarchical Management Information Base (MIB) tree with roots and branches based on the internet standard.

6. Validate configuration and restart nagios

Verify the nagios configuration to make sure there are no warnings and errors.

# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg


Total Warnings: 0
Total Errors: 0
Things look okay - No serious problems were detected during the pre-flight check

Restart the nagios server to start monitoring the VPN device.

# /etc/rc.d/init.d/nagios stop

Stopping nagios: .done.

# /etc/rc.d/init.d/nagios start
Starting nagios: done.

Verify the status of the ActiveSessions and Temperature of the VPN device from the Nagios web UI (http://{nagios-server}/nagios) as shown below.

Nagios Web UI with Cisco VPN device
Fig - Nagios Web UI showing VPN Device Status

7. Troubleshooting

Issue: check_snmp works without any issues from Linux command line, but Nagios web UI displays following error:

Status Information:	SNMP problem - No data received from host

CMD: /usr/bin/snmpget -t 1 -r 5 -m '' -v 1 [authpriv] 192.168.1.7:161

Solution: Make sure the check_command definition for check_snmp plugin in the switch.cfg file is properly defined. The arguments to the check_snmp command should match the check_snmp definition in the /usr/local/nagios/etc/commands.cfg

check_command check_snmp!Temperature!.1.3.6.1.4.1.3076.2.1.2.22.1.29.0,.1.3.6.1.4.1.3076.2.1.2.22.1.33.0!37,:40!:40,:45

[Note: This is wrong, as it is passing 4 arguments to check_snmp command
The value after the exclamation is considered as one argument. !{argument1}!{argument2}]


check_command check_snmp!-l Temperature -o .1.3.6.1.4.1.3076.2.1.2.22.1.29.0,.1.3.6.1.4.1.3076.2.1.2.22.1.33.0 -w 37,:40 -c :40,:45
[Note: This is correct, as it is passing 1 argument to check_snmp command
The value after the exclamation is considered as one argument. !{argument1}]

In the check_snmp command definition shown below, there is only one $ARG1$ argument. So, in the switch.cfg, while defining the check_snmp, you need to pass only one argument as shown above.

# 'check_snmp' command definition

define command{
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}

Tuesday, 18 November 2008

Use EL4 rpm in EL5 by using yum

Server

Initial setup

  • Install regular RHEL5
  • Install mrepo and createrepo packages for “el5”
  • If you do have access to a RHEL4 system:
    • Copy the contents from rhel4_system:/usr/share/rhn to rhel5_system:/usr/share/mrepo/rhn
  • If you do not have access to a RHEL4 system:
    • Fetch the up2date RPM package from CD 2 in the RHEL4 set
      • rhel4_system# mount -oloop RHEL4-U4-i386-ES-disc2.iso /mnt
      • rhel4_system# scp /mnt/RedHat/RPMS/up2date-4.4*rpm rhel5_system:/tmp
      • rhel5_system# rpm2cpio up2date-4.4*rpm | cpio -ivmud
      • rhel5_system# mkdir -p /usr/share/mrepo/rhn ; cp -r ./usr/share/rhn/* /usr/share/mrepo/rhn/
    • Alternatively, use the tarfile mentioned on the RPM-tools mailing list
  • You need to change the paths in /usr/bin/rhnget to point to the RHEL4 up2date. This can be done easily with the following command:
    sed -i s,/usr/share/rhn/,/usr/share/mrepo/rhn/,g /usr/bin/rhnget

Configuration

Create the file /etc/mrepo.conf.d/rhel5-server.conf and configure a repository for RHEL5 i386 and x86_64:

[rhel5-server]
name = Red Hat Server $release ($arch)
release = 5
arch = i386 x86_64
metadata = repomd yum repoview

### ISO images
iso = rhel-$release-server-$arch-disc?.iso

### Additional repositories
### Your mileage may vary, depending on your entitlements
### If you try any other channel than updates, you might also need to make sure you have the proper entitlements on RHN
updates = rhns:///rhel-$arch-server-$release
#fastrack = rhns:///rhel-$arch-server-fastrack-$release
#supplementary = rhns:///rhel-$arch-server-supplementary-$release
#virtualization = rhns:///rhel-$arch-server-vt-$release
#rhn-tools = rhns:///rhn-tools-rhel-$arch-server-$release

[Server] name= Server baseurl=http://192.168.100.209/dump/file enabled=1 gpgcheck=0

Usage

  • You need a systemid file to get access to RHN. You have three possibilities:
    • Enter your RHN username and password when running mrepo for the first time
    • or fetch a systemid file from a running server with has a RHN entitlement for the proper version and architecture and put it in /var/mrepo/rhel5-server-$arch/systemid
    • or use /usr/bin/gensystemid to create an entitlement and systemid file
  • Populate your repository with the command mrepo -uvvv (u is for update, vvv is for extra verbosity)
  • If you want to save some time downloading from RHN, and already have the ISOs for RHEL5, you can copy the contents of the CD /RedHat/RPMS/*.rpm to the /var/mrepo/rhel5-server-$arch/updates folder before running mrepo
  • When your repository has been populated, use mrepo -gvvv to generate the yum repository structure at /var/www/mrepo

Troubleshooting

CentOS 5

If you get an error like: rhnget: “Unknown error that needs more debugging occured with channel rhel-i386-server-5. Skipping.\n'up2date'”

Make sure /etc/sysconfig/rhn/sources is not empty and has an “up2date default” line as a minimum.

# CentOS NOTE: This file is deprecated and no longer used, all system management
# is now handled via yum, look at yum's configs to manage repositories etc
#
#

up2date default

# EOF

SElinux

You might have an issue with the web server not being able to show you the files in the yum repository. This is not due to a missing FollowSymlinks in your Apache config, but due to SElinux enforcements. Verify this with a peek at your Apache error log at /var/log/httpd/error.log. If it's trying to tell you that the symlinks doesn't exist, then try this:

chcon -Rh --reference /var/www/html /var/www/mrepo

This has been documented in /usr/share/doc/mrepo*/docs/selinux.txt.

RHEL 5.1

You may have the CentOS5 issue reported above, and may need to generate the up2date-uuid file.

  • Find unique uuid of your system:
        # uuidgen
    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX

The file /etc/sysconfig/rhn/up2date-uuid should read:

uuid[comment]=Universally Unique ID for this server
rhnuuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Client

Configuration

  • Modify /etc/yum/pluginconf.d/rhnplugin.conf and change enabled=1 to enabled=0.
  • Create the file /etc/yum.repos.d/mrepo.conf and configure RHEL to update through your new yum repository:
    [rhel-debuginfo]
    name=Red Hat Enterprise Linux $releasever - $basearch - Debug
    baseurl=http:///mrepo/rhel-$basearch-server-$releasever
    enabled=1
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-KEY-redhat-release

Usage

Yum update, yum install and other yum commands should work as you should be used to now.

Wednesday, 29 October 2008

How To Set Up A Cisco Lab On Linux (CentOS 5.2)

Background

I recently decided to study for the Cisco CCSP certification. My main concern in the beginning was the fact that most of the lab simulation software that I found out there could only run on Windows, this was a problem for me given the fact that I do not own a windows computer.

After a quick search I found the wonderful Dynamips project that goes beyond what other simulators do by running actual Cisco IOS images, as well as the PEMU project which allows for running of Cisco PIX images. To integrate the various pieces of software and provide an interface for interaction with the devices I used dynagen.

Prerequisites

You will need Linux command line skills as well as working knowledge of Cisco IOS/PIX. Please NOTE that you will have to provide your own Cisco IOS/PIX images, do not send me any messages requesting images.

Software Installation

These instructions are based on Centos 5.2 but can easily be adapted for use on other Linux systems. Given the fact that we are using an rpm based system we will install all our packages as rpm's instead of source given the advantages of package management. All the above mentioned projects (Apart from pemu) have source rpm's which can be obtained and compiled. I obtained and compiled the source rpm's which you can download from my site, you can how ever obtain the source rpm's and compile on your own should you want to. I built my own rpm for PEMU which you can download.

The above rpms are signed using my key so you will be able verify them.

wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
rpm --import andrew_topdog-software.com_key.txt

Now on to the installation.

Dynamips

This is the main component that provides the Cisco IOS emulator as well as PEMU wrapper

rpm -Uvh http://www.topdog-software.com/oss/dynamips/dynamips-0.2.8RC2-1.i386.rpm

Dynagen

This is the interface to the dynamips software, it provides a simplified ini type configuration, frame-relay, built in switch, bridge as well as a management CLI.

rpm -Uvh http://www.topdog-software.com/oss/dynagen/dynagen-0.11.0-1.noarch.rpm

PEMU

This is the Cisco PIX / ASA emulator which allows you to run the PIX images.

rpm -Uvh http://www.topdog-software.com/oss/pemu/pemu-0.0.1-20070420.i386.rpm

Sample Lab

For our sample lab I will set up a LAB from the SNPA module as this will enable us to see both IOS and PIX in action. But first let's start the services:

service dynamips start
service pemu start

Extract the images as they will boot faster.

unzip snrs.bin
cp C3640-JK.BIN /var/lib/pemu/images/snrs.bin
unzip asa722-k8.bin
cp target/f1/pix /var/lib/pemu/images/pix

For this lab we will use this dynagen ini file so create a file /tmp/snpa.net with the following content:

autostart = false
model = 3640
ghostios = true
sparsemem = true
[localhost]
workingdir = /var/lib/pemu
[[3640]]
image = /var/lib/pemu/images/snrs.bin
#idlepc = 0x60ba8df4
[[router inside]]
# This router will be on the "inside" of the firewall
# Connect this router's e0/0 interface to fw1's e1 interface
e0/0 = fw1 e1
[[router outside]]
# This router will be on the "outside" of the firewall
# Connect this router's e0/0 interface to fw1's e0 interface
e0/0 = fw1 e0
[[ethsw s1]]
1 = access 1
# Bridge the below interface to allow fw1's e2 interface access to real networks
# e.g. for using ASDM from a PC to manage the firewall, change the interface to
# reflect your system
2 = access 1 NIO_gen_eth:eth1
[pemu localhost]
[[525]]
#for pix 7 & 8
serial = 0x1234568
key = 0xffffffff,0xffffffff,0xffffffff,0xffffffff
image = /var/lib/pemu/images/pix
[[fw fw1]]
# Connect the firewall's e2 interface to the virtual switch, which will bridge it
# to the real network
e2 = s1 1

Now that we have everything in place let's connect to the dynagen console and interact with our lab environment.

dynagen /tmp/snpa.net

You will be presented with the following prompt:

Reading configuration file...
Network successfully loaded
Dynagen management console for Dynamips and Pemuwrapper 0.11.0
Copyright (c) 2005-2007 Greg Anuzelli, contributions Pavel Skovajsa
=>

Let's look at the options that are available on the dynagen console, type the familier ? command

=> ?
Documented commands (type help ):
========================================
capture confreg cpuinfo export hist list py save show suspend
clear console end filter idlepc no reload send start telnet
conf copy exit help import push resume shell stop ver
=>

Let's list the devices available in our lab environment using the list command:

=> list
Name Type State Server Console
inside 3640 stopped localhost:7200 2000
outside 3640 stopped localhost:7200 2001
fw1 525 stopped localhost:10525 4000
s1 ETHSW always on localhost:7200 n/a
=>

Let's start the devices:

=> start outside
100-VM 'outside' started
=> start inside
100-VM 'inside' started
=> start fw1
100-PEMU 'fw1' started
=>

To improve performance of our devices, we set the idlepc values for the various devices:

=> idlepc get inside
Please wait while gathering statistics...
1: 0x605a39c8 [61]
2: 0x605a3a40 [25]
3: 0x604fd014 [78]
4: 0x604fd044 [64]
5: 0x6048daa0 [80]
6: 0x604fe168 [75]
* 7: 0x604fe584 [59]
8: 0x604fe734 [46]
9: 0x604fe75c [49]
Potentially better idlepc values marked with "*"
Enter the number of the idlepc value to apply [1-9] or ENTER for no change: 7

Repeat the above for all the devices you want to set idlepc values for.

Other sample labs

You can find other sample labs in the /usr/share/doc/dynagen-0.11.0/sample_labs directory.

Console Access

Okay we are up and running, but I bet you are asking well and good but how do I console in and begin working with the device? Each of the devices you started will provide you with console access on a port, to see which device is on which port use the list command in the dynagen console.

So as we see the inside router can be consoled to on port 2000 so let's go ahead and check it out.

telnet localhost 2000

The first time you should be presented with the following screen:

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
Connected to Dynamips VM "inside" (ID 0, type c3600) - Console port

% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]:

Next let's connect to the PIX console:

telnet localhost 4000

Press enter and you should be presented with the following screen:

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
pixfirewall>

GUI version

For those who prefer using a GUI to setup the labs, you can take a look at the GNS project, I have not used it personally as I prefer using the command line.

Acknowledgements

Thanks to the developers of these helpful projects; please consider making donations to these projects if you can.

Use Zebra to set up a Linux BGP/OSPF router

With GNU Zebra, your Linux box can act as a router supporting TCP/IP protocols such as RIPv1, RIPv2, RIPng, OSPFv2, OSPFv3, BGP-4, and BGP-4+. I’m going to show you how to install, configure, and use Zebra to turn a Linux box into an OSPF and BGP router.

zebralogo.jpg

Building an advanced router
If you have set up a Linux box as a firewall, you have already built a simple Linux router. However, we’re going to look at using Linux to build an advanced router that can communicate using dynamic routing protocols. These protocols allow routers to speak to each other and share information of paths through a network. This is incredibly important in large networks (such as the Internet), where static routing is impractical.

For example, even with route summarization (where only the largest possible block is advertised), a single Border Gateway Protocol (BGP) routing table still contains over 100,000 entries. The sheer number of entries, combined with the rate of change, makes static route assignment impossible. The need for dynamic routing protocols is obvious, even with networks smaller than the Internet, such as large corporate networks.

While BGP, an External Gateway Protocol (EGP), is the workhorse of the Internet, others are better suited for use on smaller internetworks. The Open Shortest Path First (OSPF) protocol is an Internal Gateway Protocol (IGP) and is one of the most widely used. GNU Zebra is an open source software package that allows you to run BGP and/or OSPF on Linux.

Installing Zebra
You can download the latest source version of Zebra from Zebra.org. Distribution-specific packages are also available from a number of sources, including Redhat and Debian. If you’re installing from source, you will find that the standard installation procedure is applicable. Simply extract the package and run:
./configure

make

make install

The configuration script will detect what IP stacks are installed on your system and automatically configure support for them. In today’s environment, this will most likely mean just IPv4, but IPv6 users will be pleased to know that Zebra will detect and support it as well.

Once you have installed the program, it may be necessary to add some lines to /etc/services. Zebra’s daemons operate on their own virtual terminal lines (VTYs), so your system needs to know what they are. Here are the lines you should add:
zebrasrv 2600/tcp # zebra service

zebra 2601/tcp # zebra vty

ripd 2602/tcp # RIPd vty

ripngd 2603/tcp # RIPngd vty

ospfd 2604/tcp # OSPFd vty

bgpd 2605/tcp # BGPd vty

ospf6d 2606/tcp # OSPF6d vty

Configuring Zebra
If you’re familiar with the Cisco IOS, you shouldn’t have any problems getting Zebra up and running in a short amount of time. Each of Zebra’s daemons uses a separate VTY to allow dynamic configuration through a Telnet session. So, if you need to configure OSPF, simply Telnet to port 2604 on the Linux box. To modify the kernel’s routing table or to configure redistribution between routing protocols, you should Telnet to port 2601. This is the Zebra daemon, which acts as a kernel manager handling communication between the other daemons and the system itself.

Let’s take a look at how we would get OSPF and BGP up and running on a test server. Zebra’s daemons use plain text files to store their configurations. For our OSPF/BGP router there will be three files used: zebra.conf, ospfd.conf, and bgpd.conf. The zebra.conf file, for instance, will look something like this:
! Zebra configuration saved from vty

! 2002/02/28 01:46:12

!

hostname LinuxRouter

password zebra

enable password z3bRa

log file /var/log/zebra/zebra.log

!

interface eth0

description Interface to External Network

ip address 10.0.0.1/24

!

interface eth1

description Interface to Internal Network

ip address 192.168.66.1/24

The exclamation points serve as comment markers or spacers. The rest of the configuration should be more or less self-explanatory. There are a number of different types of network interfaces (Ethernet, ISDN, etc.), and Zebra can use any that are recognized by the Linux kernel.

Subnet masking is done with network bits (e.g., /24) as opposed to the full mask, which in this case would be 255.255.255.0. Also note that there are two passwords, one for user mode and one for privileged mode. This is useful for providing access to nonadministrators, and it’s critical if you are creating a route server or looking glass. Any BGP admin will tell you that looking glasses are a key to troubleshooting routing issues, as they allow you to view routes as seen from an outside AS’s point of view. (AS stands for Autonomous System—basically, a group of devices under the same policy or administration.) BGP routing is done by AS numbers, which are registered numbers controlled by the American Registry for Internet Numbers (ARIN). For more on BGP, read “How to use BGP to achieve Internet redundancy.”

The next step is to start the necessary programs. You can do this with the following commands:
/usr/sbin/zebra –dk

/usr/sbin/ospfd –d

/usr/sbin/bgpd –d

In the first command, we start zebra, the daemon that will actually update the kernel’s routing table. The –dk tells the program to run as a daemon (the d), basically keeping it in the background. The k is an additional option that tells Zebra to keep any routes that are already configured on the box. This is useful if you are testing Zebra and do not want to wipe out your routing table accidentally. Normally, routes and interfaces are configured with a combination of the ifconfig and route commands. Zebra is a complete replacement for this form of route management.

Setting up OSPF
Now that the necessary services are running, Telnet to port 2604 on the local machine to begin the OSPF configuration. Enter privileged mode by typing enable (just as you would in the Cisco IOS) and then enter the privileged mode password. Next, configuration mode is accessed with the configuration terminal command. Zebra will also accept abbreviations in keeping with its similarity to Cisco. Also accepted are the list and ? entries, which provide a menu of possible commands and a short explanation.

You will also be pleased to see that tab completion is supported. This is a nice feature, especially if you are accustomed to using it. Next, we will need to tell the daemon what networks are going to be advertised via OSPF, along with the associated area. OSPF supports multiple areas to provide scalability. Enter the OSPF configuration by typing router ospf and then network 192.168.66.0/24 area 0. This tells the router that we are going to use OSPF to advertise the 192.168.66.0 network with a subnet mask of 255.255.255.0.

In this example, we are also going to make interface eth0 a passive interface so that routing updates will not be sent out of it. This is important for testing purposes when other routers in that direction may be listening. You can do this with the command passive-interface eth0. Once you have made your changes, exit out of configuration mode by typing end and then save it with the write file command. Here is a snapshot of what this will look like:
labrat:~# telnet 0 2604

Trying 0.0.0.0…

Connected to 0.

Escape character is ‘^]’.

Hello, this is zebra (version 0.84b)

Copyright 1996-2000 Kunihiro Ishiguro

User Access Verification

Password:

ospfd> enable

Password:

ospfd# configure terminal

ospfd(config)# router ospf

ospfd(config-router)# network 192.168.66.0/24 area 0

ospfd(config-router)# passive-interface eth0

ospfd(config-router)# end

ospfd# write file

Configuration saved to /etc/zebra/ospfd.conf

Remember that for OSPF or BGP to operate over an interface, that interface needs to be up. To manually bring up an interface, log in to port 2601 and execute a no shut command on the appropriate interface.

Setting up BGP
BGP is configured in much the same way as OSPF. To begin, open a Telnet session to port 2605. After executing configure terminal, enter BGP configuration mode by typing router bgp . As mentioned previously, BGP uses AS numbers to establish neighbor relationships and route traffic. In our test environment, we will be using a private AS number, which can range from 64512 to 65534. The networks to be advertised by BGP are then installed with the network command. There are no trailing area options in BGP, so our command would be network 192.168.66.0/24. Unlike OSPF, BGP neighbors need to be statically assigned. You do this as follows: neighbor remote-as . Here is an example of what this will look like:
labrat:~# telnet 0 2605

Trying 0.0.0.0…

Connected to 0.

Escape character is ‘^]’.

Hello, this is zebra (version 0.84b)

Copyright 1996-2000 Kunihiro Ishiguro

User Access Verification

Password:

bgpd> enable

Password:

bgpd# configure terminal

bgpd(config)# router bgp 65530

bgpd(config-router)# network 192.168.66.0/24

bgpd(config-router)# neighbor 10.0.0.5 remote-as 65531

bgpd(config-router)# end

bgpd# write file

Configuration saved to /etc/zebra/bgpd.conf

With both OSPF and BGP, there are a great number of options—enough to be outside the scope of this article. I recommend doing a little studying about each protocol prior to working with it in a production environment. The GNU Zebra documentation can also help in this regard.

Summary
Networking includes a variety of options for routing traffic. When it comes to routers, many hardware options are available, but they can be expensive—reason enough to look at turning a Linux system into a fully functional router. The Zebra suite of routing daemons makes this a possibility. With support for IPv4, IPv6, and a wide variety of protocols, Zebra can address all your routing needs. It also takes advantage of the experience and knowledge that many admins have already gained in working with Cisco IOS-based routers.

Friday, 24 October 2008

Emacs Help

Introduction

Emacs is perhaps world's most powerful text editor.you can do lot's of stuff using emacs in a very powerful way.I will just try to list out few tasks that you can accomplish with help of emacs:

  • Editing text files
  • Programming
  • Searching and replacing patterns in a text file
  • Checking mail
  • Reading news
  • Listening to Songs
  • Executing commands
  • Can also work as a file manager
Environment

When you start emacs(using command emacs &)..you can see a menu bar on the top of the emacs window,a tool bar just below the menu bar.And then most of the remaining space is occupied by the editing buffer(where actual editing is performed).You can see a scroll bar in the left side of window.

Another thing that you will observe that at the end of editing buffer there exists some sort of seperator..and below it exists another small area.

Well this area is very important..
Seperator is called ---> Modeline
Area below is called ---> Message Area
Commands typed by you will be echoed in the message area, as well as response from emacs and messages from emacs will be also shown there.

Commands Conventions

All of the emacs commands are basically in the form of some special key bindings.These key bindings may initially appear a bit daunting but are very convenient. Usually all of the emacs commands start with either with control or alt key.Rest of the printable characters are sent to the editing buffer and are not considered as command.

For Example:
To open a new file:
ctrl-x,ctrl-f
To undo changes:
ctrl-x,u
To browse through info pages:
alt-x-info
ctrl-x,ctrl-f:
Press x and f key respectively while ctrl key is pressed.br> ctrl-x,u:
Press x while ctrl key is pressed and now leave ctrl key(as well as x)and press u.br> alt-x-info:
press x while alt key is pressed and now leave alt(as well as x) and type info manually in the message area.br> -:
One impotant thing is all the hyphen's are used for illustration purpose only. They are not to be included in commands.

Commands

Here i will try to give all the essential commands with help of which you can easily work with emacs. One thing you should keep in mind is that you need not to remember all the commands. You can work with emacs very easily using a limited list of commands. The method to enter the command has been explained in the earlier section.

ctrl-x,ctrl-f:
To open a new/existing file.when you press this command you can see a message ">


ctrl-x,ctrl-s:
To write the file to disk(or in other words to save the file.)


ctrl-x,ctrl-c:
To quit emacs.If you have any running processes(let us say shell) or any unsaved buffer it will ask you either to save the changes or discard them and then quit emacs.

ctrl-a:
Go to the beginning of line.

ctrl-e:
Go to the end of line.

ctrl-p:
Go to previous line.

ctrl-n:
Go to next line.

ctrl-home:
Go to the beginning of buffer.

ctrl-end:
Go to the end of buffer.

ctrl-k:
Kill line. This command will kill one line starting from current cursor position.

ctrl-f:
Move one character forward.

ctrl-b:
Move one char backward.

ctrl-w:
To write the existing buffer with a different file name.

alt-d:
To delete one word to the right of cursor.

alt-f:
To move one word forward.

alt-b:
to move one word backward.

alt-a:
To move one sentence backward. But in this case cursor doesn't stop at the blank lines.

alt-e:
To move one sentence forward.

alt-x-shell:
To start shell from emacs.

ctrl-x,b:
To switch to buffer. This command ask the name of the buffer you want to switch.

ctrl-x,ctrl-b:
List all the existing buffers.

alt-x-man:
This command Will ask for what command you want to see manual pages. Thus a message related to it will appear in the message area.

alt-x-info:
To browse through info pages.

alt-x-w3m:
To check mail

alt-x-mpg123:
To start play mp3 songs from emacs. This packages doesn't come by default on the Red Hat releases, so you have to download a package called mpg123.el.

alt-x-TAB:
By pressing this command you can see the list of available commands in emacs.

alt-x-ispell:
To start spell checking from emacs.

ctrl-/:
To undo your last set of changes.

alt-x-set-background-color:
To change the background color of emacs buffer.

Now many of the commands has been described below and a description of how to bind keys with these commands is also given below.

Ispell

You can check spelling of a buffer using the command `alt-x-ispell-buffer`. You can use 'r' to enter a mis-spelled word for yourself.
'a': emacs will accept the word as correct for present session.
'A': emacs will accept the word as correct for all session.
spacebar: ignore the error.
ctrl-r: enter in to recursive editing.

Flyspell

Can be also used for spelling checking..thus in this mode the spelling of the word will be checked on the fly and highlighted if there is an error. So either you can edit the word yourself or else left click on the word and let emacs suggest options.

Completing The Text From Another Part of the Buffer

Let's say you are editing a text file and you are typing several words lot's of times then you can use this thing. We can use keystroke "alt-/" to auto complete a word that you have typed before.

Some Very Important Keystrokes for Moving Around

alt-e: to end of the paragraph.
alt-a: to the beginning of the paragraph.
alt-}: to move forward one paragraph
alt-{: backward one paragraph.
alt-<: go to the beginning of buffer alt->: go to the end of buffer

Customization of Emacs

Emacs can be very easily customized this is one of the reasons it is such a powerful editor.If you try command "alt-set-background-color" then you will find that you can change the background color of the current face. But the settings won't be saved thus next time you will start emacs your changes will be lost. Emacs reads a file called $HOME_DIR/.emacs(~/.emacs) on startup. By editing this file you can customize emacs very easily and your changes will saved. Here i am giving contents of my .emacs file. By looking at the comments itself you can guess what is the function of that line. Even of you don't, relax and simply use it for the time being. Just simply copy following lines and paste it to a file called .emacs(if something is already there in that file then you make sure it should be deleted).

Sample .emacs File

;; Set up the keyboard so the delete key on both the regular keyboard
;; and the keypad delete the character under the cursor and to the right
;; under X, instead of the default, backspace behavior.
(global-set-key [delete] 'delete-char)
(global-set-key [kp-delete] 'delete-char)

;; turn on font-lock mode
(global-font-lock-mode t)

;; enable visual feedback on selections
(setq-default transient-mark-mode t)

;; always end a file with a newline
(setq require-final-newline t)

;; stop at the end of the file, not just add lines
(setq next-line-add-newlines nil)

;;to display time
(display-time)

;;to set the cursor color
(set-cursor-color "red")

;;to set the font
(set-frame-font "-*-fixedsysttf-*-*-*-*-15-*-*-*-*-*-*-*")

;;to set foreground color to white
(set-foreground-color "white")

;;to set background color to black
(set-background-color "black")

;;to manage the geometric size of initial window.
(setq initial-frame-alist '((width . 87) (height . 42)))

;;set the keybinding so that you can use f4 for goto line
(global-set-key [f4] 'goto-line)
;;set the keybinding so that f3 will start the shell
(global-set-key [f3] 'shell)
;;set the keybinding so that f5 will start query replace
(global-set-key [f5] 'query-replace)
(global-set-key [f6] 'switch-to-buffer)
(global-set-key [f7] 'hippie-expand)
(global-set-key [f8] 'ispell)

(setq load-path (cons "/home/hemant/elisp" load-path))

(when window-system
;; enable wheelmouse support by default
(mwheel-install)
;; use extended compound-text coding for X clipboard
(set-selection-coding-system 'compound-text-with-extensions))
(autoload 'mpg123 "mpg123" "A Front-end to mpg123" t)



(custom-set-variables
;; custom-set-variables was added by Custom -- don't edit or cut/paste it!
;; Your init file should contain only one such instance.
'(auto-save-default nil)
'(backup-directory-alist (quote (("." . "/home/hemant/backup"))))
'(default-frame-alist (quote ((tool-bar-lines . 1) (menu-bar-lines . 1) (width . 87) (height . 42)))))
(custom-set-faces
;; custom-set-faces was added by Custom -- don't edit or cut/paste it!
;; Your init file should contain only one such instance.
'(font-lock-comment-face ((((class color) (background dark)) (:foreground "chocolate1" :slant italic :family "-*-lucida-medium-r-*-*-14-*-*-*-*-*-*-*"))))
'(fringe ((((class color) (background dark)) (:background "grey10" :width ultra-condensed))))
'(scroll-bar ((t (:background "Dark slate gray")))))
Miscellaneous Commands

Some keystrokes set by me:
f4: goto line //go to some line
f3: to start shell
f5: to start query replace
f6: switch to buffer //switch to different open buffer
f7: hippie expand //auto completion even from other buffer.
f8: to start spell check

Customizing key bindings in emacs:
Put following lines in to your .emacs file and those keystrokes will work for you as well.

(global-set-key [f4] 'goto-line)
(global-set-key [f3] 'shell)
(global-set-key [f5] 'query-replace)
(global-set-key [f6] 'switch-to-buffer)
(global-set-key [f7] 'hippie-expand)
(global-set-key [f8] 'ispell)

Commands Helpfull During Programming

1.to jump to newline automatically after termination of an statement:
ctrl-c,ctrl-a: enables addition of newline.

Notes

My .emacs file assumes you have fixedsys and lucida fonts installed.(though lucida comes with any standard installation of GNU/Linux..fixedsys won't be installed on your system.Also i have created a directory called ~/elisp where additional elisp packages are stored ,so you must have a directory of that name.Now if you don't have fixedsys and any packages that has to be stored in ~/elisp better remove those lines).Another important thing..by default emacs creates backup of files while editing and saves it in current directory with prefix ~.But i have customized emacs so that all the backup files will redirected to ~/backup directory.So you should also create a directory called ~/backup.

Setting Up .htaccess

htaccess can be used in co-ordination with the Apache web server to password protect certain files and directories on your web server.

This document assumes that you have Apache already set up and running correctly. If this is not the case please visit http://www.linuxhelp.ca/guides/apache/ for help with installing and configuring Apache.

For my own sanity I'm going to assume that you followed the Apache Setup Guide on our site and that you have apache installed at /usr/local/apache and your HTML documents are located in /usr/local/apache/htdocs. Now let's say you have a directory called admin in /usr/local/apache/htdocs and you would like to password protect it and give certain users access. The first thing you need to do is open up your httpd.conf file and find the section that looks similar to this:


Options FollowSymLinks
AllowOverride None

Once you've found the similar lines in your httpd.conf you can add the following section underneath it:


AllowOverride AuthConfig
Options Indexes FollowSymLinks Includes
Order allow,deny
Allow from all

Once you've added the new section, save the httpd.conf file and restart apache. You can normally do this by running killall -HUP httpd as root. Now that the admin directory is properly configured for htaccess you'll need to set up the .htaccess and .htpassword files.

Change into the directory you want to protect (for this guide we are using /usr/local/apache/htdocs/admin) and create a file called .htaccess. To do this you can run touch .htaccess in the directory. Now open up the file with a text editor (nano, pico, vi, joe etc) and enter in the following lines:

AuthUserFile /usr/local/apache/htdocs/admin/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user

The AuthUserFile directive containts the path to the password file that users will be authenticated against.

AuthName is the message that will appear on the login prompt. The default is Authorization Required but you can change this to whatever you like.

AuthType selects the type of user authentication that will be used. You can leave this as Basic

require let's all the valid users in the .htpasswd file access the directory.

Once your .htaccess file is set up, save and exit the file. You must now create the .htpasswd file. To do this you can use the htpasswd program that comes Apache. If you followed the Apache Guide, htpasswd should be located in /usr/local/apache/bin. If not you can run updatedb as root and then type locate htpasswd to find it.

To create the initial .htpasswd file you must use the -c flag. As root run:

htpasswd -c /usr/local/apache/htdocs/admin/.htpasswd username

Don't forget to change the directory .htpasswd will be located in. The above is set up for securing /usr/local/apache/htdocs/admin. As well change username to whatever username you want to use to log in. It will then prompt you for a password. The next time you add a user you can drop the -c flag since it is only used for the inital creation of the file.

If you haven't already restarted your Apache web server now is the time to do so. Once that has been taken care of, open up a web browser and try to access http://www.yourdomain.com/admin/ and see if it prompts you for a password. If something goes wrong check the Apache error log file.

Thursday, 23 October 2008

Run remote commands on a Cisco router from your PC

Can you go to a Windows command prompt and run a command on your router? Usually, you would have to Telnet or SSH to the router first to run the command, right?

While this approach works, you can also run router commands without leaving the Windows command prompt, which can come in handy for scripting and automating router management. Let’s take a closer look.

What is remote shell (rsh)?

Remote shell (rsh) is a command-line program commonly found in UNIX and Linux systems. Using rsh, you can remotely execute command-line programs on a remote system. This could be another UNIX or Linux system, or it could be a Cisco router or switch. Rsh was part of the BSB UNIX operating system and included with rcp (remote copy) and rlogin (remote login).

While most Linux administrators are already familiar with rsh, some Windows administrators might not be. In fact, Windows XP and Windows Server 2003 both include rsh. Figure A shows a screenshot of using rsh at the command prompt.

Figure A

Figure A

However, when working with rsh, it’s important to remember that rsh is insecure — it does not encrypt the communications between the remote device and the system. You should always configure rsh as securely as possible on the router by locking down the IP address of the management machine and the username.

However, even when taking such precautions, rsh is still very insecure compared to SSH. It’s a good idea to use rsh only on a protected, secured, internal network. (By the way, if you’re allowing rsh through a firewall, it uses TCP port 514.)

How do I configure rsh on my router?

To be able to run a command on a Windows PC, have it go to the router, execute the command, and then return the output to you, all you need to do is enter two commands. Let’s walk through the process.

First, you need to enable the remote shell services on the router. The Cisco IOS calls the remote shell service ip rcmd. To enable this service, enter the following command when in Global Configuration Mode:

Router(config)# ip rcmd rsh-enable

Second, you need to configure the permissions for your workstation and your user to be able to perform these remote shell commands. Here’s an example of this command:

Router(config)# ip rcmd remote-host root 192.168.1.45 ddavis enable

Let’s take a closer look at this command. The ip rcmd remote-host part is required. Next, you enter the local username on this router of the user that the remote shell will log in under when it runs commands. In this case, we used the local user root.

Next, 192.168.1.45 is the IP address of the management workstation that we want to allow to execute these remote shell commands — in other words, the IP address of the PC. Next, you see my local Windows username: ddavis. In this case, that’s the name of the user logged into the Windows XP machine as well as the user who will be executing the rsh command in Windows. If I were running a batch job script that executed the Windows rsh command, I would need to enter the Windows username of the user that the batch job was running under.

Finally, the command contains the enable keyword. This allows the remote shell user access to enable the mode on the router. I could take this a step further and specify the level of access allowed (i.e., levels 1 through 15).

Keep in mind that these two commands assume you already have the router configured and you already have a local user called root. If you don’t have a root user, you can use the following command to do so:

Router(config)# username root privilege 15 password C1sCo!

How do I use rsh from my Windows workstation?

Once you’ve configured the above commands, you can easily run a remote shell command from the Windows command prompt. Figure B offers an example.

Figure B

Figure B

Here’s the actual command I used:

Z: rsh Router1 -l root sh ver

Here’s how the command works:

  • The hostname is the first thing specified (in this case, Router1).
  • Next, I used -l (i.e., the letter L) to specify the remote username that I will use to log in. (Keep in mind that I still have to be user ddavis on the local Windows PC for the security to work. Also, I have to come from the IP address that I’ve specified — in other words, this wouldn’t work from another workstation.)
  • Finally, specify the command. In this case, I ran the show version command (or sh ver).

What can I do with the rsh command?

In addition to using the show version command, you can also run the show running-configuration (sh run) command or any other privileged level command. Here are some more examples:

  • show ip interface brief
  • show ip route
  • show ip ospf neighbors
  • show ip bgp summary
  • show log

What you can’t do is run a Global Configuration Mode command, such as enabling an interface or configuring an IP address. This usually limits you to the show commands.

However, one very useful thing you could do is copy your current configuration to a TFTP server and do it inside a script initiated on the Windows server. For example, you would use the copy running-configuration tftp:/1.1.1.1 command.

What else can I do with remote commands?

If you check out the Cisco IOS documentation that covers remote commands, you’ll find that there are a number of options you can use with the remote shell commands. One of the latest features in the Cisco IOS is that you can authenticate incoming rsh and rcp commands using a Cisco IOS access control list.

One of the more interesting variations is that you can use remote copy (rcp). So, I could copy a file using the Windows rcp command from my PC to the router or from the router to the PC — without ever using TFTP or FTP. (You can enable rcp with the ip rcmd rcp-enable command.

Conclusion

The remote shell (rsh or rcmd) commands can be very useful for remotely administering your router. This is especially true if you want to create a Linux or Windows script that goes out to all routers on your network and performs some show command.

Wednesday, 22 October 2008

Installing a VPN with OpenVPN

Introduction

With OpenVPN, it is easy to set up a virtual private network between Windows clients using a dialup connection and a Linux server. The clients can do ftp and telnet securely and Windows clients can securely browse the intranet running Samba.

This document describes how to set up OpenVPN between a host computer running Linux and remote Windows clients. The Linux host acts as a secure gateway to the intranet, which consists of a number of Windows computers and Linux machines running Samba. Both ends of the link receive virtual IP addresses. OpenVPN is much easier to set up than OpenSWAN. The downside is that OpenVPN does not prevent unencrypted traffic from flowing along the connection. To block this, OpenVPN must be used with a firewall to throw away the unwanted packets.

As with OpenSwan, it's essential to watch the traffic with tcpdump at every step. If set up incorrectly, a VPN may allow your computers to communicate without actually encrypting a single byte. Remember, being able to ping from both sides does not necessarily mean your VPN is working!

What is a VPN

Here's the blurb I give to our end users:

A VPN (virtual private network) is client/server software that allows you to connect securely to a remote network from anywhere, including over a modem or a broadband connection. Our VPN will allow you to browse computers on the network as if you were at work. You can drag files from your computer at work to your home PC, send email through our server, and everything else you can do at work. This lets you do work at home at night, on weekends, and on holidays as if you were in the office 24 hours a day, working continuously!

Our VPN gateway is named "endive". Once you are connected to endive, you will have complete access to our internal network. However, all your communications will be encrypted so that hackers on your remote network can't read any of your information. Access to our network is controlled by a certificate, which is a special encryption code that is different for each user. No one else can access our VPN unless they have a valid certificate. If you lose your computer, or someone steals your certificate, please let me know and I will give you a new one.

Installation on server

  1. Install openssl, lzo, and pam if you don't have it already. If you're building your own RPM, you may also need openssl-devel, lzo-devel, and pam-devel.
  2. Configure openssl if desired by editing the file
    /usr/share/ssl/openssl.cnf  
  3. If necessary, install the lzo real-time data compression library (liblzo.a) from http://oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz
    ./configure
    
    make
    make check
    make test
    su
    make install
  4. Install OpenVPN on the linux server.
    tar -xzvf openvpn-2.0.2.tar.gz
    
    cd openvpn-2.0.2
    ./configure
    make
    su
    make install

Installation on client

Click on openvpn-2.0.2-install.exe and click "Next" to begin the installation. After installing, reboot the computer. OpenVPN will install itself in C:\Program Files\OpenVPN and create a directory there called "config". The Windows version of OpenVPN will only run on W2K or later. Normally, you must have administrator privileges to install or run OpenVPN (but there are ways around this).

Create Keys on Server

Generate keys for the server and for each client manually using SSL. Version 2 of OpenVPN includes some scripts that make this easier. If you use SuSE Linux Enterprise server, it is also possible to use PKCS #12 formatted key files created by YaST2 (see "pkcs12" directive in OpenVPN man page).

  1. Edit the vars file and replace KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL with local values. Then source the vars file and create a master certificate and key for the CA (certificate authority) on the server.
    cd easy-rsa
    
    vi vars
    . ./vars
    ./clean-all
    ./build-ca
    For "common name" enter the hostname of the server, e.g., "diphtheria".
  2. Create certificate and key for the server.
    ./build-key-server server
  3. Create keys for your clients
    ./build-key ensit
    
    ./build-key siraj
    If you want the keys to be password-protected, use ./build-key-pass instead. Make sure the common name is different for each client, otherwise clients will bump each other off. Hmmm ... on second thought....
  4. Generate Diffie-Hellman parameters
    ./build-dh 
  5. Copy the client key and certificate and the CA certificate to the client's computer, or give it to the client Computer By using winscp or Flopy or any other way.

for Windows XP.
  1. smb: \> cd "Program Files\OpenVPN\config"
    
    put ensit.key (the key)
    put ca.crt (the CA certificate)
    put ensit.crt (the certificate)
    exit
  2. Copy the keys to /etc/openvpn/keys
    su
    
    cd easy-rsa/keys
    mkdir /etc/openvpn/keys
    cp * /etc/openvpn/keys

Adjust Firewall and Server Access Rules

  1. Open ports 1194/UDP (the new, official OpenVPN port) and 5000/UDP (the old OpenVPN port) in your firewall for both directions.
  2. Temporarily modify the ``hosts allow'' line in the /etc/samba/smb.conf file on the VPN server with a line that allows the IP range specified by OpenVPN to connect.
      hosts allow = 10.1.0.0/255.255.255.0
    and restart smbd and nmbd. Notice that this address should be non-routable.
  3. Edit your /etc/hosts.allow file on the server to allow the 10.1.0.0/24 network to have access.
      ALL : LOCAL  10.1.0.    
  4. Make sure you can connect to the VPN port by typing
     telnet my-vpn-server 1194
    It should say "Connection refused", not "No route to host".

Configure the server

  1. Copy a sample-config-files/server.conf to ./server.conf. Note that default port is now 1194. Port 1194/UDP must be opened on the firewall in both directions.

    Set the virtual IP address range to a private range that is not currently used by your network. A private address is in the range
    10.0.0.0 - 10.255.255.255
    
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255
    Also, IP addresses in the range of 169.254.0.0 -169.254.255.255 are reserved for Automatic Private IP Addressing, which is used by Windows. Since these addresses aren't part of your network, you will also have to set up NAT on the server. Use "dev tun" unless you are using bridging (but see below). More options are needed if the client has their own network that needs access.

    Here is an almost-minimal server.conf file:
    port 1194
    
    proto udp
    dev tun
    ca /etc/openvpn/keys/ca.crt
    cert /etc/openvpn/keys/server.crt # THIS IS THE LOCATION OF CERTIFICATE
    key /etc/openvpn/keys/server.key # This file should be kept secret
    dh /etc/openvpn/keys/dh1024.pem # THIS IS THE LOCATION OF CERTIFICATE
    client-to-client # To allow clients to see each other
    server 10.1.0.0 255.255.255.0 # Set to virtual network and subnet mask
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    cipher AES-128-CBC # AES
    comp-lzo
    persist-key
    persist-tun
    user nobody
    group nobody
    status openvpn-status.log
    verb 3
    When "server" is set to 10.1.0.0 255.255.255.0, the server will listen on that subnet and take 10.1.0.1 as its virtual IP address.
  2. Make sure tun/tap driver is configured.
    ls -l /dev/net/tun
    
    crw------- 1 root root 10, 200 Mar 23 2002 /dev/net/tun
    If not, activate CONFIG_TUN=y in your kernel configuration, recompile your kernel, and reboot into new kernel. It should create the device node automatically. If not, type
    mknod /dev/net/tun c 10 200
  3. Enable IPv4 IP forwarding on the Linux server:
    echo 1 > /proc/sys/net/ipv4/ip_forward    
    This needs to be done every time the computer reboots. If you are using modules, put modprobe tun in the startup script as well.

Configure the Windows client

In C:\Program Files\OpenVPN\, copy sample-config\client.ovpn to config\client.ovpn and edit it with Notepad to make it consistent with server.conf.

Here is an almost-minimal client.conf file for "bruce":

client

dev tun
proto udp
remote carbon 1194 # use real name or IP address of the server
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert bruce.crt
key bruce.key
cipher AES-128-CBC # AES
comp-lzo
verb 3
For other options, see the OpenVPN2.0-HOWTO.

For Windows XP, you may have to manually disable the firewall for the tap adapter.

Start server and test the connection

  1. Start server:
    su
    
    ./openvpn server.conf
  2. On Windows client, right click on client.ovpn. A console window will open and messages should appear on both computers indicating glorious success, or not.
    vpn screenshot

    vpn screenshot
    Client console window of OpenVPN in glorious success mode.

    Open a DOS box and ping the virtual IP address of the swerver
     ping 10.1.0.1
    If you later decide to remove the VPN, click on ``Add/remove hardware'' in the Control Panel and select ``Uninstall a device.'' If you do this, it is necessary to reinstall OpenVPN and reboot before it will work again. To stop the VPN, you can use the Task Mangler or press F4 in the OpenVPN console. Pressing F2 shows connection statistics.
  3. Test the connections in both directions by pinging to all four addresses:
       ping 10.1.0.1
    
    ping 10.1.0.3
    ping 192.168.100.1
    ping 192.168.100.4
    All pings should still work. This behavior is different from most other VPNs, such as OpenSwan.
  4. Click on "My Network Places" on the client and type \\10.1.0.1 in the address box. You should see a list of Samba shares.
    vpn screenshot
    Screen shot of the software actually working, sort of

  5. Start tcpdump -n on the server and observe the traffic when the client sends a ping or initiates a telnet or ftp session. Both telnet and ftp should still work.
    C:\vpn>ftp 10.1.0.1
    
    Connected to 10.1.0.1.
    ...
    All packets in both directions should be on port 1194/UDP. However, if the client uses the Windows browser, the server will also send some traffic on ports 137. The only way to stop this is by blocking it with a firewall. In most cases, it is sufficient to block the users using the "hosts allow" command in smb.conf, for example:
    hosts allow = 10.1.0.0/255.255.255.0
    which will prevent unauthenticated users from connecting. They should get a message like this:

    <span class=vpn screenshot">

  6. Check the routing table on the server
    Before starting OpenVPN:
    route
    
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
    After:
    route
    
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.1.0.2 * 255.255.255.255 UH 0 0 0 tun0
    192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
    10.1.0.0 10.1.0.2 255.255.255.0 UG 0 0 0 tun0

PART 2 - Real World Setup

With this setup, we could also connect to 10.1.0.1 (the VPN server) over a commercial 64k dialup from our ISP. However, tcpdump showed that Windows browsing packets were going around the VPN (i.e., not through port 1194) and were being dropped by the server. To fix this, all that was necessary was to make some minor configuration changes and activate NAT on the VPN server. Now we could get to the Samba servers in the intranet behind VPN server and browse their shares by typing something like "\\diphtheria" in Explorer on the Windows PC named Cholera.

Road Warrior (Cholera) <-> Telephone <-> ISP <-> Internet <-> Router <-> VPN Server <-> Intranet <-> Windows PC (Diphtheria)
Running tracert on the Windows client tells you what's happening. In our real-world case, we have:
tracert 10.1.0.1  = 1 hop 1179 ms directly to the VPN server [10.1.0.1]

tracert 63.127.146.199 = 10 hops through various servers.
Packets sent to your intranet are taking the wrong path. The fix involves a lot of pushing and shoving. You also need to activate a NAT proxy service on the VPN gateway.

Changes on server:

  1. Install iptables(www.iptables.org) if necessary.
  2. In most Linux distributions, kernel iptables support is already enabled. If not, see "problems" below. Otherwise, on the gateway, enter the following commands:
          iptables -F
    
    iptables -F -t nat (gets rid of previous iptables entries)
    iptables -X

    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 63.127.146.199
    iptables -A FORWARD -j ACCEPT
    iptables -L -t nat (list all rules)
    Alternatively, just forward packets on the TUN interface as the manual recommends (I did not try this):
          iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A INPUT -i tap+ -j ACCEPT
    iptables -A FORWARD -i tap+ -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
    The goal is to perform NAT proxying on the packets before they are sent out the eth0 interface. In this example, 65.198.102.199 is the static IP address of the VPN server. All packets coming in from the road warrior have their IP address rewritten before they leave the server so that their source address is that of the server.

    SNAT is used instead of MASQUERADE because the VPN gateway has a static IP address.
  3. Enable IPv4 IP forwarding on the Linux server:
    echo 1 > /proc/sys/net/ipv4/ip_forward    
  4. This should be put in /etc/rc.d/boot.local (or wherever) along with the iptables commands described earlier so they are automatically issued after a reboot.
  5. Add the following lines to server.conf on the server:
    # Advertise name server - change this number to your DNS server
    
    push "dhcp-option DNS 11.111.111.66"
    # Advertise WINS server - change this number to your WINS server
    push "dhcp-option WINS 11.111.111.196"
    push "redirect-gateway"
  6. Change from "tun" to "tap" in server.conf. With tun, the Windows browser packets try to bypass the VPN, using port 137. The server then rightfully rejects them (if they even reach the server). Because of stuff like this, it's critical to test the VPN with tcpdump to make sure it's actually encrypting all your packets. With the tap interface, browsing packets are sent through port 1194. There is no need to actually set up bridging on the server if you use NAT to rewrite the packets.

Changes on Windows client:

  1. Change from "tun" to "tap" in client.ovpn file.
  2. Right-click on the Local Area Connection icon for the TUN/TAP adapter and change the properties to "Enable NetBIOS over TCP/IP".

Results

For the skeptical, here is a screen dump of our intranet Samba server as seen from a Windows 2000 computer using OpenVPN. The Windows computer is connected over a dialup and has a dynamically-assigned IP address.
vpn screenshot

My work here is done.

Configuration files

Server configuration file (server.conf):

port 1194

proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.1.0.0 255.255.255.0
push "redirect-gateway"
client-to-client
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 6
push "dhcp-option DNS 11.111.111.11" # add your own DNS server here
push "dhcp-option WINS 11.111.111.12" # add your own WINS server here

Windows client configuration file (client.ovpn):
client

dev tap
proto udp
remote 11.111.111.12 1194 # add real IP of your own openvpn server here
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cholera.crt
key cholera.key
cipher AES-128-CBC
comp-lzo
verb 3

Problems

  • TLS errors
    TLS Error: TLS key negotiation failed to occur within 60 seconds.
    
    TLS Error: TLS handshake failed
    This could mean your packets are being blocked by a firewall, your certificates on both ends don't match, or the IPs or subnet masks are wrong in your config files. A common problem is that users forget that Windows XP now comes with its own firewall enabled by default. Check to make sure Norton Security or some other security program is not running on the Windows client. It may be necessary to log out of Windows and login again before the changes take effect.
  • If your kernel does not support iptables, recompile and install a kernel on the gateway to include the following:
          CONFIG_PACKET
    
    CONFIG_NETFILTER
    CONFIG_IP_NF_CONNTRACK
    CONFIG_IP_NF_FTP
    CONFIG_IP_NF_IPTABLES
    CONFIG_IP_NF_IRC
    CONFIG_IP_NF_MATCH_LIMIT
    CONFIG_IP_NF_MATCH_MAC
    CONFIG_IP_NF_MATCH_MARK
    CONFIG_IP_NF_MATCH_MULTIPORT
    CONFIG_IP_NF_MATCH_TOS
    CONFIG_IP_NF_MATCH_TCPMSS
    CONFIG_IP_NF_MATCH_STATE
    CONFIG_IP_NF_MATCH_UNCLEAN
    CONFIG_IP_NF_MATCH_OWNER
    CONFIG_IP_NF_FILTER
    CONFIG_IP_NF_TARGET_REJECT
    CONFIG_IP_NF_TARGET_MIRROR
    CONFIG_IP_NF_NAT
    CONFIG_IP_NF_TARGET_MASQUERADE
    CONFIG_IP_NF_TARGET_REDIRECT
    CONFIG_IP_NF_TARGET_LOG
    CONFIG_IP_NF_TARGET_TCPMSS
    CONFIG_IP_NF_COMPAT_IPCHAINS
    CONFIG_IP_NF_COMPAT_IPFWADM


I get 1 error when i am configuring it.


Error ::


Certificate is to be
certified until Jun 3
16:09:50 2017 GMT (3650 days)

Sign the certificate? [y/n]:y

failed to update database
TXT_DB error number 2


Solution ::


The commonName for Certificate authority
and client certificate must not be the same.