Igor David

Amazon VPC + ipsec + racoon + quagga

Posted on January 25, 2012 by admin

This scenario has been succesfully tested and is working on following configuration:

Debian 6 with one ethernet card with public IP (no NAT), Amazon VPC network 10.0.0.0/16 with 2 subnets (10.0.0.0/24 public and 10.0.1.0/24 private), ipsec-tools 1:0.8.0-9, racoon 1:0.8.0-9, quagga 0.99.20-3

VPC components on Amazon side can be created by using Scenario number 3 (http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html) and configuration can be obtained from AWS Management console by right click on VPN configuration -> download). Also, you need to setup security groups for SSH which is also explained in Scenario3.

Example configuration files are following (change your parameters, in this example public IP is 1.1.1.1 and Virtual Private Gateways are 2.2.2.2 and 3.3.3.3, change them and other parameters accordingly):

Tunnel 1:

Pre-Shared Key : AAAA

Outside IP Addresses:
- Customer Gateway                : 1.1.1.1
- Virtual Private Gateway         : 2.2.2.2
Inside IP Addresses
- Customer Gateway              : 169.254.248.10/30
- Virtual Private Gateway       : 169.254.248.9/30

– Customer Gateway ASN              : 65000
- Virtual Private Gateway ASN          : 7224
- Neighbor IP Address               : 169.254.248.9

Tunnel 2:

Pre-Shared Key : BBBB

Outside IP Addresses:
- Customer Gateway                 : 1.1.1.1
- Virtual Private Gateway           : 3.3.3.3
Inside IP Addresses
- Customer Gateway                : 169.254.248.14/30
- Virtual Private Gateway           : 169.254.248.13/30

– Customer Gateway ASN              : 65000
- Virtual Private Gateway ASN          : 7224
- Neighbor IP Address               : 169.254.248.13

On Debian server, we need to install following packages (as root):

$ apt-get install ipsec-tools racoon quagga

After installing packages, we need to setup following configuration files:

/etc/racoon/psk.txt:

(change secret keys to your own)

2.2.2.2 AAAA

3.3.3.3 BBBB

/etc/racoon/racoon.conf:

(change needed addresses):

remote 2.2.2.2 {

exchange_mode main;

lifetime time 28800 seconds;

proposal {

encryption_algorithm aes128;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group 2;

}

generate_policy off;

}

remote 3.3.3.3 {

exchange_mode main;

lifetime time 28800 seconds;

proposal {

encryption_algorithm aes128;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group 2;

}

generate_policy off;

}

sainfo address 169.254.248.10/30 any address 169.254.248.9/30 any {

pfs_group 2;

lifetime time 3600 seconds;

encryption_algorithm aes128;

authentication_algorithm hmac_sha1;

compression_algorithm deflate;

}

sainfo address 169.254.248.14/30 any address 169.254.248.13/30 any {

pfs_group 2;

lifetime time 3600 seconds;

encryption_algorithm aes128;

authentication_algorithm hmac_sha1;

compression_algorithm deflate;

}

/etc/ipsec-tools.conf

(change needed addresses):

flush;

spdflush;

spdadd 169.254.248.10/30 169.254.248.9/30 any -P out ipsec

esp/tunnel/1.1.1.1-2.2.2.2/require;

spdadd 169.254.248.9/30 169.254.248.10/30 any -P in ipsec

esp/tunnel/2.2.2.2-1.1.1.1/require;

spdadd 169.254.248.14/30 169.254.248.13/30 any -P out ipsec

esp/tunnel/1.1.1.1-3.3.3.3/require;

spdadd 169.254.248.13/30 169.254.248.14/30 any -P in ipsec

esp/tunnel/3.3.3.3-1.1.1.1/require;

spdadd 169.254.248.10/30 10.0.0.0/16 any -P out ipsec

esp/tunnel/1.1.1.1-2.2.2.2/require;

spdadd 10.0.0.0/16 169.254.248.10/30 any -P in ipsec

esp/tunnel/2.2.2.2-1.1.1.1/require;

spdadd 169.254.248.14/30 10.0.0.0/16 any -P out ipsec

esp/tunnel/1.1.1.1-3.3.3.3/require;

spdadd 10.0.0.0/16 169.254.248.14/30 any -P in ipsec

esp/tunnel/3.3.3.3-1.1.1.1/require;

/etc/quagga/bgpd.conf:

(here you can choose your own password, and change needed addresses)

hostname ec2-vpn

password passWord

enable password passWord

log file /var/log/quagga/bgpd

!debug bgp events

!debug bgp zebra

debug bgp updates

router bgp 65000

bgp router-id 1.1.1.1

network 169.254.248.10/30

network 169.254.248.14/30

network 0.0.0.0/0

! aws tunnel #1 neighbour

neighbor 169.254.248.9 remote-as 7224

! aws tunnel #2 neighbour

neighbor 169.254.248.13 remote-as 7224

line vty

/etc/quagga/zebra.conf:

(put password you have choosen in bgpd.conf):

hostname ec2-vpn

password passWord

enable password passWord

! list interfaces

interface eth0

interface lo

line vty

/etc/quagga/daemons:

zebra=yes

bgpd=yes

After setting up configuration files, some changes needs to be done on files permissions / ownership:

$ chmod 640 /etc/quagga/bgpd.conf

$ chmod 640 /etc/quagga/zebra.conf

$ chmod 640 /etc/quagga/debian.conf

$ chown quagga.quaggavty /etc/quagga/*.onf

$ chown quagga.quaggavty /etc/quagga/*.conf

Also, inside IP addresses needs to be setup on interface:

$ ip a a 169.254.248.10/30 dev eth0
$ ip a a 169.254.248.14/30 dev eth0

Starting services and checking:

(following is useful for racoon debugging):

$ racoon -d -v -F -f /etc/racoon/racoon.conf

or via init script:

$ /etc/init.d/racoon start

$ /etc/init.d/setkey start

$/etc/init.d/quagga start

Checking bgp and logs:

$ ip address

$ nc localhost 2605

$ show ip bgp

$ tail -f /var/log/syslog

$ route -v

$ ip route

Basically, after this setup, you should be able to login to your VPC instances via SSH which are in private subnet and which have routing tables towards VirtualGateway.

Posted in Linux, amazon-aws, cisco | Leave a comment

Radio Televizija Facebook

Posted on September 27, 2011 by admin

2019. godina, 19:30, čovek leži zavaljen u fotelju i gleda Dnevnik Televizije Facebook:

Danas u Dnevniku TFB najvažnije vesti: Komšija Milan u Vašoj zgradi, stan broj 45, izašao je rano jutros u 7:05:46 da kupi hleb i jogurt, i zatim se odmah vratio na njegov lični Wall da okači slike svežeg jogurta. Kupite još danas najnoviji model I-Fod mobilnog na kojem ćete imati sve informacije istog momenta! Vaša sestra Kristina je tačno u 11:00:00 kupila najnoviji model I-Fod mobilnog telefona, uz pomoć kojeg je istog momenta snimila kako prodavačica odlazi do kase i stavlja novce. Vaša najbolja prijateljica Lela je okačila novi foto album, hiljadu osamsto pedeseti po redu, u kojem pokazuje uspešne kombinacije boja na njenom tepihu u dnevnoj sobi. Probajte najnovije grisine sa 0% soli! Vaš Fpoznanik Miloš sa fakulteta je napisao na Vašem zidu sledeće – “zdravo, da li si čuo najnoviju vest, da je Pera okačio na njegov Wall slike za petstopedesetosmi album njegovog kera Bobija”. Vaš sin Momir okačio je danas slike na njegov lični Wall (kojem vi nemate pristup zbog licence o privatnosti FB) u kojem je prikazana scena kako se sprdaju sa učiteljicom na času. Probajte najnoviju Nuka-Colu sa 0 % šećera! Vaš Fprijatelj Miroslav kaže da voli sliku njegovog mezimca mačka Relje. Vaš FRođak Slavko voli po dvehiljadepetstoti put grupu navijača Radničkog.Vaša koleginica Sonja okačila je novi video link u kojem prikazuje svojeg ljubimca papigu Aru kako skače po kavezu. Vaš dugogodišnji FPrijatelj Petar kaže da voli slike drveća. Kupite najnovije FPatike!

Vaš profil danas: Vi ste danas lajkovali 67 fotografija, napisali ste 4 posta, jutros ste izašli iz stana 0 puta, popričali ste sa 0 ljudi uživo, videli ste se sa 0 ljudi, popili ste pivo sa 0 ljudi, ručali ste sa 0 ljudi.

Posted in Priče | Leave a comment

Dublin ulični svirači

Posted on September 23, 2011 by admin

Jedna od prvih stvari koju primetite na ulicama Dablina su ulični svirači. Ima ih na svakom koraku, Sviraju raznu vrstu muzike – od tradicionalne Irske, rock n rolla, balada, blues-a … Svi koji sviraju na ulici nude svoju muziku na CD-u za 10 evra, tako da se mogu naći baš zanimljive stvari lokalnih bendova, koji čak i svoje premijere izvode na ulicama. Ponekad se desi i da krene kiša da pada, pa moraju da budu pripremljeni i na te scenarije.

Uglavnom je vrlo visok kvalitet muzike koju sviraju, retko ko falšira.

Na primer:

Ovde vidimo vrlo zanimljiv instrument:

Pored standardnih muzičara, mogu da se nađu i razne društvene grupe, kao što je ova Hare Krišna (zanimljivo, svirali su jednu te istu stvar 2-3 sata):

Posted in Dublin | Leave a comment

Ne nasedajte na spam od Nasser Hussein

Posted on September 23, 2011 by admin

Nedavno sam dobio zanimljiv spam sa gmail-a. Naime, imam neki (pravi) oglas za prodaju nekretnine na sajtu mojkvadrat.rs i dobio sam e-mail koji je “ličio” kao da je neko stvarno pogledao oglas (jer je e-mail bio linkovan na broj oglasa):

Hello

How are you today? I am interested in your advert  Property.Please is it still on sale ? I like it. What is your last  price? Email me I am waiting to hear from you for payment.

Regards

pregled nekretnine – 49203

Malo testa radi, a malo jer sam hteo da vidim o čemu se radi, odgovorio sam na mail i dobio sledeći u kom će vam dotični tražiti dalje:

Hello My Dear,

Thanks for your response to my request

It seems to me that you are a very sincere person and I want to use this medium to inform you that I will buy your property at your last given price,

I must buy. I have option at your good price. Please kindly remove the photo from the site after the business proposal I will make use of it when I come visiting you. And you will make a very GOOD PROFIT.   ….

I wait for your contact details so we can go on. I will give to you 30% of the sum and 70% is for me. I hope I am been fair on this deal, Get back to me with your full information:

YOUR FULL NAME……………………………….

YOUR FULL ADDRESS………………..

YOUR DIRECT TELEPHONE NUMBER……..

SEX =85.. / AGE=85=85=85=85.

Occupation=85=85=85=85=85=85=85=85=85=85=85

Regards,

Capt.Nasser Hussein

Iraq Military Base,

BAGHDAD.

Pregledom mail header-a vidi se da mail dolazi direktno sa gmaila:

Received: by fxh10 with SMTP id 10so2322037fxh.37

for ; Wed, 21 Sep 2011 14:36:58 -0700 (PDT)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

d=gmail.com; s=gamma;

h=mime-version:date:message-id:subject:from:to:content-type;

bh=1zr+m9NEG8zcAYRTYhfJnYkzlOupGtmTaJwGtUX0oFg=;

b=MolqrtZ8FQHip4l6TylPdKHw3+OEUw0VfN58UZ5JeDAWKbJ3jB/U97d5ZrKgqgkd31

i5UGv8x7JB1Z4m7yq4WiWW3+huAvilobB+3/OHiw59yVVkf4dmwNDFeNpUg9Q8349Q+u

aSQicMj1Md7vHX2PqjTPta6aklku9hqofwbQw=

MIME-Version: 1.0

Received: by 10.223.75.24 with SMTP id w24mr1687716faj.132.1316641018238; Wed,

21 Sep 2011 14:36:58 -0700 (PDT)

Received: by 10.223.70.134 with HTTP; Wed, 21 Sep 2011 14:36:58 -0700 (PDT)

Date: Wed, 21 Sep 2011 14:36:58 -0700

Message-ID:

Subject: HI

From: Nasser Hussein

To: igord@bra.in.rs

Content-Type: multipart/alternative; boundary=0015174c165030569f04ad7a6042

Znači, klasična prevara, tražiče vam se pošaljete podatke, koji će kasnije biti sigurno zloupotrebljeni. Koliko vidim po Internetu ima zabeleženih istih slučajeva, na primer ovde

Posted in Vesti | Leave a comment

Dublin photos

Posted on June 14, 2011 by admin

Posted in Fotke | Leave a comment

Dublin Liffey – reka Lifi u Dublinu

Posted on June 14, 2011 by admin

Posted in Video | Leave a comment

Dublin Temple bar walk

Posted on June 14, 2011 by admin

Posted in Video | Leave a comment

Dublin Spire – Dablinski toranj

Posted on June 14, 2011 by admin

Posted in Video | Leave a comment

NERDTree vim plugin

Posted on March 19, 2011 by admin

Very useful thing if you want to extend your usage of VIM (which is, by my opinion, best editor in the world )

Basically it is acting as plugin to vim, after you run vim just type “:NERDTree” and see the magic – it will open tree with all files and directories from location where you run it.

After that you place marker to some file, press Enter and in right-tab that file will be opened.

Select some code by entering visual editor “ctrl+v”, copy it by typing “y” and then press “:q!” (you will leave that file).

Now, open another file by placing marker to it and pressing Enter, and press “p” – it will paste previous copied code to new file.

Installation of NERDTree vim plugin :

Download it from official website , create ~/.vim directory and unzip it there, and voila!

Posted in bash scripting | 1 Comment

ALA – Apache log analyzer

Posted on January 22, 2011 by admin

Here is one simple bash script which can be used to quickly sort out which IP`s are most visiting your Apache web server, by analyzing access_log file.

You just put chmod +x on it and run as root … It will ask you for location of Apache log file, and after that you will get output on screen with sorted IP`s.

BTW ALA in Serbian means DRAGON!

#!/bin/bash
#made by igor david 2011
touch /root/output

:> /root/output

echo "Put here location of Apache access log:"

read LOG
if [ -f "$LOG" ]
then

echo "$LOG exist, proceeding with ALA!";

else

echo "$LOG does not exist, exiting!"

exit 1

fi

for i in `sort $LOG | awk ‘{ print $1 }’ | uniq `; do
NUM=`grep -c $i $LOG`

echo " IP address $i comes $NUM time to your Apache server" >> /root/output;

done
sort -k5n,5 /root/output

Posted in bash scripting | Leave a comment

Categories