Here I considering ESP IPSEC with authentication based on certificate between two peer.
1. use the following command to generate private key and certificate request
openssl req -new -nodes -out req.pem -keyout cert.pem
here cert.pem is the private key and req.pem is the certificate request
2. Get this certificate signed by some certificate authority (CA) using the following commands
openssl x509 -req -days 365 -in certs/req.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out certs/mycert.pem
3. Now put both the certificate as well as CA public certificate in the directory specified in racoon.conf file give the following commands
ln -s CA.crt `openssl x509 -noout -hash -in CA.crt`.0
4. Start racoon
ref :http://www.fefe.de/racoon.txt
Monday, October 18, 2010
Wednesday, October 13, 2010
How to install a package in freeBSD
1. Usually freeBSD provides a ports for many packages. So just search for a port using the following commands
whereis
this may give out like this /usr/ports/.....
now just change the directory to the above directory and give commands
make install clean
for removing make deinstall clean
if you having package tar file in /usr/ports/distfiles/ then fine you are done otherwise freeBSD will try to connect to internet. If you are not connected to internet just download the package (note the version number required) manually and put it in /usr/ports/distfiles
2. If no port is available for the desired package. Then use the following commands
pfg_add
for removing pkg_delete
good luck
whereis
this may give out like this /usr/ports/.....
now just change the directory to the above directory and give commands
make install clean
for removing make deinstall clean
if you having package tar file in /usr/ports/distfiles/ then fine you are done otherwise freeBSD will try to connect to internet. If you are not connected to internet just download the package (note the version number required) manually and put it in /usr/ports/distfiles
2. If no port is available for the desired package. Then use the following commands
pfg_add
for removing pkg_delete
good luck
Tuesday, August 17, 2010
How to make servlet relaodable in tomcat server
During development phase it as advisable to make servlet reloadable as one need not to restart the tomcat server after making any changes in servlet.
For doing this edit Context.xml file in Conf dir of tomcat and put a line in header
as relaodable="true" restart the tomcat server
upto tomcat 5.5 this holds true.
For doing this edit Context.xml file in Conf dir of tomcat and put a line in header
as relaodable="true" restart the tomcat server
upto tomcat 5.5 this holds true.
Wednesday, August 11, 2010
How to create a new user after initializing a database for first time
Do the following :
su -
su - poatgres
createuser -d //-d give user to permission to create a new database
exit
after that you may create a database which is owned by above user
createdb -O
then you may dump a database owned by the above mentioned user
hopes this will work. Good luck
su -
su - poatgres
createuser -d
exit
after that you may create a database which is owned by above user
createdb -O
then you may dump a database owned by the above mentioned user
hopes this will work. Good luck
~org.postgresql.util.PSQLException: Connection rejected: FATAL: Ident authentication failed for user "username"
This occur when user have not sufficient permission to access the database
to avoid this problem to happen modify the pg_hba.conf file as per detail given below
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 127.0.0.1/32 trust
hopes this will work.
Good luck !!
to avoid this problem to happen modify the pg_hba.conf file as per detail given below
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 127.0.0.1/32 trust
hopes this will work.
Good luck !!
Tuesday, July 27, 2010
How to reset cisco router to factory default
Follow the following steps if you are already logged in
- go to global configuration mode and enter the following commands
- config-register 0x2142
- reload
System configuration has been modified. Save? [yes/no]:n
Proceed with reload? [confirm]y
now after rebooting change config-register value to
0x2102 now save the configuration and reboot
If you have forget password connect to the router using console
and start router press CTRL+BREAK
go to rommon mode type config-register 0x2142 and reset
After rebooting router change the config-register value to 0x2102
Wednesday, July 21, 2010
How to make cisco router as CA server
Here is a sample configuration to make a cisco router as CA server. Enter the following commands in global configuration mode.
- crypto pki server CAname
- issuer-name CN=domainname.com L=location C=country
- grant auto
- lifetime crl 24
- lifetime certificate 200
- lifetime ca-certificate 365
- cdp-url http://ipaddress/CAnamecdp.CAname.crl
- crypto pki trustpoint CAname
- revocation-check crl
- rsakeypair CAname
Certificate based IPsec between Cisco router and fortinet firewall
Reason behind failing the IPSEC is fortinet does not specify CA trustpoint to be used in its certificate. In order to force cisco router to use a specific CA trustpoint containing a specific comman name or subject name do the following,
goodluck.
- use GUI to configure IPsec in fortigate firewall
- import certificate in both cisco and fortigate
- use the following configuration in global configuration mode at cisco router
- crypto pki certificate map name1
10 - subject name co cn=
name2 //various options are there - crypto isakmp profile name3
- ca trustpoint CAname
- match certificate name1
goodluck.
Monday, July 19, 2010
Preshared key based IPsec configuration
Peer WAN Ip address : x.x.x.x/mask
Host LAN Ip address : y.y.y.y/mask
peer LAN Ip address : z.z.z.z/mask
text written after ! are comment
conf t
! define a phase 1 policy parameter
crypto isakmp policy 100
encr 3des
hash sha
authentication pre-share
group 2
exit
! define preshared key for peer here peer WAN IP address
crypto isakmp key 0 secret123 address x.x.x.x
! define a phase 2 policy parameter
crypto ipsec transform-set site1-site2 esp-aes 256
! define a map of phase1 and phase2 policy
crypto map VPN 1 ipsec-isakmp
set peer x.x.x.x
set transform-set site1-site2
match address 100
exit
! define a access list
! access list number should be same as defined in crypto map match address
! wild card mask can be calculated by deducting mask from 255.255.255.255
access-list 100 permit ip y.y.y.y z.z.z.z
! now apply this crypto map to the host WAN ethernet interface
conf t
! go to the WAN interface here i have assumed g0/0 is the wan interface
int g0/0
! apply crypto map
! crypto map name should be same as defined above
crypto map VPN
! apart from this debug and view commands
show crypto isakmp sa
debug crypto isakmp
Host LAN Ip address : y.y.y.y/mask
peer LAN Ip address : z.z.z.z/mask
text written after ! are comment
conf t
! define a phase 1 policy parameter
crypto isakmp policy 100
encr 3des
hash sha
authentication pre-share
group 2
exit
! define preshared key for peer here peer WAN IP address
crypto isakmp key 0 secret123 address x.x.x.x
! define a phase 2 policy parameter
crypto ipsec transform-set site1-site2 esp-aes 256
! define a map of phase1 and phase2 policy
crypto map VPN 1 ipsec-isakmp
set peer x.x.x.x
set transform-set site1-site2
match address 100
exit
! define a access list
! access list number should be same as defined in crypto map match address
! wild card mask can be calculated by deducting mask from 255.255.255.255
access-list 100 permit ip y.y.y.y
! now apply this crypto map to the host WAN ethernet interface
conf t
! go to the WAN interface here i have assumed g0/0 is the wan interface
int g0/0
! apply crypto map
! crypto map name should be same as defined above
crypto map VPN
! apart from this debug and view commands
show crypto isakmp sa
debug crypto isakmp
CA server set up in ubuntu
This post is regarding CA server setup in ubuntu linux.
.cer -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -outform PEM -out .pem
- Go to /usr/lib/ssl/misc
- any specific configuration please edit /usr/lib/ssl/openssl.cnf
- sh CA.sh -newca
- Now give distinguish name attributes (subject name)
- Go to demoCA folder
- find cacert.pem this is your CA certificate
- to generate a CA signed certificate use the following commads
Tuesday, July 6, 2010
How to reset fortigate firewall password
Do the following things to reset the fortigate firewall password
- Connect serial port(Baud 9600, 8 bit , none , 1 none)
- Type in the username: maintainer
- The password is bcpb + The serienumber of the firewall (remember CAPS letters)
- Note that on some devices, after the device boots, you have 14 seconds to type in the username and password. It might, therefore, be necessary to have them ready in a text editor, and then copy and paste them into the login screen.
- Now you should be connected to the firewall, and to change the admin password you type the following.
- config system admin
- edit admin
- set password
- end
Monday, June 21, 2010
How to upgrade a cisco IOS image
With working image:
1. Install/prepare a tftp server like 3CDaemon and make sure that it is reachable from router
2. First of all before upgrading any working image take a backup
3. For taking a backup use following commands
give the tftp server ip address, destination file name
4. For uploading run following commands
give source and destination file names and tftp server ip address
In case you don't have a working image and unable to boot router
1. Reboot Router and press cntrl+break . Now you will be in rommon mode.
2. Now give IP_ADDRESS, IP_ADDRESS_NETMASK, DEFAULT_GATEWAY,TFTP_SERVER,TFTP_FILE
3. finally give commands tftpdnld
4. Now rommon > confreg 0x2102
5 rommon >reset
6 set boot image from
1. Install/prepare a tftp server like 3CDaemon and make sure that it is reachable from router
2. First of all before upgrading any working image take a backup
3. For taking a backup use following commands
2600#copy flash tftp
give the tftp server ip address, destination file name
4. For uploading run following commands
2600#copy tftp flash
give source and destination file names and tftp server ip address
In case you don't have a working image and unable to boot router
1. Reboot Router and press cntrl+break . Now you will be in rommon mode.
2. Now give IP_ADDRESS, IP_ADDRESS_NETMASK, DEFAULT_GATEWAY,TFTP_SERVER,TFTP_FILE
3. finally give commands tftpdnld
4. Now rommon > confreg 0x2102
5 rommon >reset
6 set boot image from
2600(config)#no boot system
2600(config)#boot system flash
Now you have done !!
Wednesday, May 26, 2010
How to dump postgres database
1. use pg_dump to dump database
pg_dump dbname | gzip > filename.gz
2. The restore it
createdb dbname
gunzip -c filename.gz | psql dbname
How to install an application in linux using tar.gz file
1. copy in a suitable location mainly /usr/local/ then run following command
tar -zxvf.tar.gz
2. change dir to /usr/local/
3. run ./configure --help
4. set appropriate options and run ./configure --[options]
5. run command make
6. if available run make test
7. at last run make install
8. here you have done
9. set the PATH to include the lib files of above application
10 Good luck
tar -zxvf
2. change dir to /usr/local/
3. run ./configure --help
4. set appropriate options and run ./configure --[options]
5. run command make
6. if available run make test
7. at last run make install
8. here you have done
9. set the PATH to include the lib files of above application
10 Good luck
Monday, March 22, 2010
How to configure IPSEC on linux
Scientific Linux or fedora/RHEL comes with ipsec-tools.
Host-to host config:
configure ifcfg-ipsec[number] on both machine
Host-to host config:
configure ifcfg-ipsec[number] on both machine
DST=X.X.X.X
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
Configure keys-ipsec[number]
IKE_PSK=secretkey
use setkey -f [filename] to set policy
use ifup ipsec[number] to start encryption.
use command tcpdump -n -i host [IPaddress of other machine] to find out whether encryption is taking place or not.
Wednesday, March 10, 2010
How to start service in LINUX on startup
To start a service in Linux on startup there are two methods.
i) if it is standard service and has a script in /etc/init.d just check its status
chkconfig --listservice name
if is off
make it on by the following commands
chkconfig service name on
Similarly you can make a service off by following command
chkconfig service name off
other way write a script put it in /etc/init.d
add run following command
chkconfig --add service name
chkconfig service name on
simlarly you can remove a service for the list
chkconfig --del service name
ii) put the startup code in rc.local file.
i) if it is standard service and has a script in /etc/init.d just check its status
chkconfig --list
if is off
make it on by the following commands
chkconfig
Similarly you can make a service off by following command
chkconfig
other way write a script put it in /etc/init.d
add run following command
chkconfig --add service name
chkconfig
simlarly you can remove a service for the list
chkconfig --del service name
ii) put the startup code in rc.local file.
Monday, January 25, 2010
To Store file in postgres database
There are two methods to store a file in database.
1. use either bytea type of database (Stores file as bytestream <1 GB)
2. use large objects type ( stores file in separate table referenced by integer OID)
for more information see the following links
http://www.postgresql.org/docs/7.4/interactive/jdbc-binary-data.html#JDBC-BINARY-DATA-EXAMPLE
1. use either bytea type of database (Stores file as bytestream <1 GB)
2. use large objects type ( stores file in separate table referenced by integer OID)
for more information see the following links
http://www.postgresql.org/docs/7.4/interactive/jdbc-binary-data.html#JDBC-BINARY-DATA-EXAMPLE
Subscribe to:
Posts (Atom)