Systems and Network useful knowledge: May 2013

Cisco Client VPN Configuration

This was set up on a 857W running IOS 12.4-15-T12
There is already a Site to Site configured so this will be set up as priority 2.
LAN : 192.168.0.0/24
VPN : 172.16.0.0/24

Phase 1 policy parameters
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

VPN client address pool
crypto isakmp client configuration address-pool local poolname
ip local pool poolname 172.16.0.1 172.16.0.254

VPN client group
crypto isakmp client configuration group groupname
key psk
pool poolname
acl aclname
crypto isakmp keepalive 300
crypto isakmp xauth timeout 60

Phase 2 policy parameters
crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac
crypto dynamic-map mapname 2
set transform-set transform-2
reverse-route

Crypto map
crypto map mapname client authentication list userlist
crypto map mapname isakmp authorization list groupname
crypto map mapname client configuration address respond
crypto map mapname 2 ipsec-isakmp dynamic mapname
interface external
crypto map mapname

Define the phase 2 proxy ID
ip access-list extended aclname
permit ip 172.16.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any

Exclude the client VPN range from the NAT rule
ip nat inside source list 101 interface external overload
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Cisco Site to Site VPN Configuration

This was set up on a 857W running IOS 12.4-15-T12
There is also a client VPN configured on this router.
Local subnet : 192.168.0.0/24
Remote subnet : 10.10.0.0/16
Peer IP : 5.5.8.8

Phase 1 parameters
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2

Pre Shared Key
crypto isakmp key psk address 5.5.8.8 no-xauth

Transform set
crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac

Crypto map
crypto map mapname 1 ipsec-isakmp
set peer 5.5.8.8
set transform-set transform-1
match address aclname

Interesting traffic
ip access-list extended aclname
permit ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255

Remove from NAT rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255

Inbound ACL
interface bridge to internal network
ip access-group aclname2 out
ip access-list extended aclname2
permit udp host 10.10.4.8 192.168.0.1 0.0.0.225
deny ip 10.10.5.0 0.0.0.255 any
permit ip any any

Squeezelite on Fedora

I've found squeezelite to be superior to SqueezeSlave, specificially for player synchronisation.
The install is as simple as downloading the (i386) binary from here.

Because I prefer to run this as a service, and because I found no example startup scripts online, I wrote my own. I'm no expert at this sort of thing, so it may well not work on your machine, but it should be just a case of a few small tweaks.

#!/bin/sh

### BEGIN INIT INFO
# Provides: squeezelite
# Required-Start: $syslog
# Required-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Script to start squeezelite
# Description: Service script for squeezelite, command line squeezebox player
### END INIT INFO

. /etc/init.d/functions

USER=j.doe # The user logged in to Gnome, required to use Pulse
NAME=Squeezelite # Name of the player
LMS=127.0.0.1 # IP of the media server
LOG=/var/log/squeezelite.log # Log file
LOCKFILE="/var/lock/subsys/squeezelite"
RETVAL=0

start() {
echo -n $"Starting Squeezelite daemon: "
daemon --user $USER squeezelite-i386 -z -f $LOG -n $NAME $LMS &
RETVAL=$?
echo
touch $LOCKFILE
return $RETVAL
}

stop() {
echo -n $"Stopping Squeezelite daemon: "
killproc squeezelite-i386
echo
RETVAL=$?
rm -f $LOCKFILE
return $RETVAL
}

restart() {
stop
sleep 5
start
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status squeezelite
;;
condrestart)
[ -e $LOCKFILE ] && restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
RETVAL=1
esac

exit $RETVAL

Saturday 4 May 2013

Cisco Client VPN Configuration

Cisco Site to Site VPN Configuration

Squeezelite on Fedora