Monday, October 18, 2010

Ceritificate based IPSEC VPN in freeBSD

Here I considering ESP IPSEC with authentication based on certificate between two peer.

1. use the following command to generate private key and certificate request

openssl req -new -nodes -out req.pem -keyout cert.pem


here cert.pem is the private key and req.pem is the certificate request

2. Get this certificate signed by some certificate authority (CA) using the following commands

openssl x509 -req -days 365 -in certs/req.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out certs/mycert.pem

3. Now put both the certificate as well as CA public certificate in the directory specified in racoon.conf file give the following commands

ln -s CA.crt `openssl x509 -noout -hash -in CA.crt`.0

4. Start racoon


ref :http://www.fefe.de/racoon.txt


Wednesday, October 13, 2010

How to install a package in freeBSD

1. Usually freeBSD provides a ports for many packages. So just search for a port using the following commands
whereis package name
this may give out like this /usr/ports/.....
now just change the directory to the above directory and give commands
make install clean
for removing make deinstall clean
if you having package tar file in /usr/ports/distfiles/ then fine you are done otherwise freeBSD will try to connect to internet. If you are not connected to internet just download the package (note the version number required) manually and put it in /usr/ports/distfiles

2. If no port is available for the desired package. Then use the following commands

pfg_add package name
for removing pkg_delete package name

good luck

Tuesday, August 17, 2010

How to make servlet relaodable in tomcat server

During development phase it as advisable to make servlet reloadable as one need not to restart the tomcat server after making any changes in servlet.

For doing this edit Context.xml file in Conf dir of tomcat and put a line in header
as relaodable="true" restart the tomcat server

upto tomcat 5.5 this holds true.

Wednesday, August 11, 2010

How to create a new user after initializing a database for first time

Do the following :

su -

su - poatgres

createuser -d //-d give user to permission to create a new database

exit

after that you may create a database which is owned by above user

createdb -O

then you may dump a database owned by the above mentioned user

hopes this will work. Good luck

~org.postgresql.util.PSQLException: Connection rejected: FATAL: Ident authentication failed for user "username"

This occur when user have not sufficient permission to access the database

to avoid this problem to happen modify the pg_hba.conf file as per detail given below

# TYPE DATABASE USER CIDR-ADDRESS METHOD

host all all 127.0.0.1/32 trust

hopes this will work.
Good luck !!

Tuesday, July 27, 2010

How to reset cisco router to factory default

Follow the following steps if you are already logged in
  • go to global configuration mode and enter the following commands
  • config-register 0x2142
  • reload
System configuration has been modified. Save? [yes/no]:n
Proceed with reload? [confirm]y

now after rebooting change config-register value to

0x2102
now save the configuration and reboot

If you have forget password connect to the router using console
and start router press CTRL+BREAK
go to rommon mode type
config-register 0x2142 and reset
After rebooting router change the
config-register value to 0x2102



Wednesday, July 21, 2010

How to make cisco router as CA server

Here is a sample configuration to make a cisco router as CA server. Enter the following commands in global configuration mode.

  • crypto pki server CAname
  • issuer-name CN=domainname.com L=location C=country
  • grant auto
  • lifetime crl 24
  • lifetime certificate 200
  • lifetime ca-certificate 365
  • cdp-url http://ipaddress/CAnamecdp.CAname.crl
  • crypto pki trustpoint CAname
  • revocation-check crl
  • rsakeypair CAname

Certificate based IPsec between Cisco router and fortinet firewall

Reason behind failing the IPSEC is fortinet does not specify CA trustpoint to be used in its certificate. In order to force cisco router to use a specific CA trustpoint containing a specific comman name or subject name do the following,

  • use GUI to configure IPsec in fortigate firewall
  • import certificate in both cisco and fortigate
  • use the following configuration in global configuration mode at cisco router
  • crypto pki certificate map name1 10
  • subject name co cn=name2 //various options are there
  • crypto isakmp profile name3
  • ca trustpoint CAname
  • match certificate name1
here you are done.
goodluck.

Monday, July 19, 2010

Preshared key based IPsec configuration

Peer WAN Ip address : x.x.x.x/mask
Host LAN Ip address : y.y.y.y/mask
peer LAN Ip address : z.z.z.z/mask

text written after ! are comment


conf t

! define a phase 1 policy parameter

crypto isakmp policy 100
encr 3des
hash sha
authentication pre-share
group 2
exit

! define preshared key for peer here peer WAN IP address

crypto isakmp key 0 secret123 address x.x.x.x

! define a phase 2 policy parameter

crypto ipsec transform-set site1-site2 esp-aes 256

! define a map of phase1 and phase2 policy

crypto map VPN 1 ipsec-isakmp
set peer x.x.x.x
set transform-set site1-site2
match address 100
exit

! define a access list
! access list number should be same as defined in crypto map match address
! wild card mask can be calculated by deducting mask from 255.255.255.255

access-list 100 permit ip y.y.y.y z.z.z.z

! now apply this crypto map to the host WAN ethernet interface

conf t

! go to the WAN interface here i have assumed g0/0 is the wan interface

int g0/0

! apply crypto map
! crypto map name should be same as defined above

crypto map VPN

! apart from this debug and view commands

show crypto isakmp sa

debug crypto isakmp

CA server set up in ubuntu

This post is regarding CA server setup in ubuntu linux.

  • Go to /usr/lib/ssl/misc
  • any specific configuration please edit /usr/lib/ssl/openssl.cnf
  • sh CA.sh -newca
  • Now give distinguish name attributes (subject name)
  • Go to demoCA folder
  • find cacert.pem this is your CA certificate
  • to generate a CA signed certificate use the following commads
openssl x509 -req -days 365 -in .cer -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out .pem

Tuesday, July 6, 2010

How to reset fortigate firewall password

Do the following things to reset the fortigate firewall password
  1. Connect serial port(Baud 9600, 8 bit , none , 1 none)
  2. Type in the username: maintainer
  3. The password is bcpb + The serienumber of the firewall (remember CAPS letters)
    1. Note that on some devices, after the device boots, you have 14 seconds to type in the username and password. It might, therefore, be necessary to have them ready in a text editor, and then copy and paste them into the login screen.
  4. Now you should be connected to the firewall, and to change the admin password you type the following.
    1. config system admin
    2. edit admin
    3. set password
    4. end
from website http://www.afterschool.dk/documents/network/fortigate-password-reset/

Monday, June 21, 2010

How to upgrade a cisco IOS image

With working image:

1. Install/prepare a tftp server like 3CDaemon and make sure that it is reachable from router

2. First of all before upgrading any working image take a backup

3. For taking a backup use following commands


     2600#copy flash tftp

give the tftp server ip address, destination file name

4. For uploading run following commands

      2600#copy tftp flash

give source and destination file names and tftp server ip address

In case you don't have a working image and unable to boot router

1. Reboot Router and press cntrl+break . Now you will be in rommon mode.

2. Now give IP_ADDRESS, IP_ADDRESS_NETMASK, DEFAULT_GATEWAY,TFTP_SERVER,TFTP_FILE

3. finally give commands tftpdnld

4. Now rommon > confreg 0x2102

5 rommon >reset

6 set boot image from
2600(config)#no boot system
2600(config)#boot system flash

Now you have done !!

Wednesday, May 26, 2010

How to dump postgres database

1. use pg_dump to dump database
pg_dump dbname | gzip > filename.gz

2. The restore it
createdb dbname
gunzip -c filename.gz | psql dbname



How to install an application in linux using tar.gz file

1. copy in a suitable location mainly /usr/local/ then run following command
tar -zxvf .tar.gz

2. change dir to /usr/local/

3. run ./configure --help

4. set appropriate options and run ./configure --[options]

5. run command make

6. if available run make test

7. at last run make install

8. here you have done

9. set the PATH to include the lib files of above application

10 Good luck

Monday, March 22, 2010

How to configure IPSEC on linux

Scientific Linux or fedora/RHEL comes with ipsec-tools.
Host-to host config:
configure ifcfg-ipsec[number] on both machine
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK

Configure keys-ipsec[number]
IKE_PSK=secretkey

use setkey -f [filename] to set policy

use ifup ipsec[number] to start encryption.

use command tcpdump -n -i host [IPaddress of other machine] to find out whether encryption is taking place or not.



Wednesday, March 10, 2010

How to start service in LINUX on startup

To start a service in Linux on startup there are two methods.

i) if it is standard service and has a script in /etc/init.d just check its status

chkconfig --list service name

if is off

make it on by the following commands

chkconfig service name on

Similarly you can make a service off by following command

chkconfig service name off

other way write a script put it in /etc/init.d

add run following command

chkconfig --add service name
chkconfig service name on

simlarly you can remove a service for the list

chkconfig --del service name

ii) put the startup code in rc.local file.

Monday, January 25, 2010

To Store file in postgres database

There are two methods to store a file in database.

1. use either bytea type of database (Stores file as bytestream <1 GB)

2. use large objects type ( stores file in separate table referenced by integer OID)


for more information see the following links

http://www.postgresql.org/docs/7.4/interactive/jdbc-binary-data.html#JDBC-BINARY-DATA-EXAMPLE