June 2007 Archives

smile at the old days

By Kang on June 9, 2007 10:35 PM | No Comments | No TrackBacks

独自远行,像大学时一样.走在陌生的街道,尝试找回曾经的心情和感觉,发现所谓的过去再也找不回来了.试图逃离现实,发现自己被现实缠的更紧了.偶尔又听到了熟悉的memory

midnight
not a sound from the pavement
has the moon lost her memory
she is smiling alone
in the lamp light
the withered leaves collect at my feet
and the wind begings to moan
memory
all alone in the moonlight
i can smile at the old days
i was beautiful then
i remember the time i knew what happiness was
let the memory live again
every street lamp
seems to beat a fatalistic warning
someone mutters and a street lamp gutters
and soon it will be morning
day light
i must wait for the sunrise
i must think of a new life
and i musn't give in
when the dawn comes ,tonight will be a memory too
and a new day will begin

burnt out ends of smoky days
the stale cold smell of morning
a street lamp dies, another night is over
another day is dawning
touch me
it's so easy to leave me
all alone with my memory
of my days in the sun
if you touch me
you'll understand what happiness is
look, a new day has begun

GRE over IPSec

By Kang on June 6, 2007 3:53 PM | No Comments | No TrackBacks

IPSec隧道有个问题,只能传递单播的流量。如果想利用IPSec隧道传递组播和广播流量,那么只能采用在IPSec中封一层GRE隧道,让组播和广播流量在GRE中传递。

GRE over IPSec的配置方法和IPSec L2L没有什么特别大的区别,需要注意的是,定义感兴趣流时应为tunnel的source ip和destination ip,流量类型为GRE。

测试方法:
1.测试IPSec隧道是否建立成功。
2.在tunnel上互相ping,或者建立OSPF邻居以便检查组播流量是否成功传递。 

...

By Kang on June 5, 2007 12:19 AM | No Comments | No TrackBacks
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

hQEMA1/nF3xFtWXLAQf/cg1Yg3GYpusa7Bhuakhb8pyiar7vF1p4CfmWt81sEukq
EXJwK3JVFrK32c4CMXqqtnv9S8euJWOCJ2A9WSh7P6PMqpwj/h5HPIeS8x6fQS6m
tNTXRlt369QU32yUzUqZ3SGgQcyLd/X7rDDVLhTvqY8iPqUI2ZV5FcXR9XpPqJf2
mNlJR+P3tZ5zSSc/0xxcP9HvuxgbZ8ZOeujO0SeNbqdJ2P+bgOgxAE0NPoqmES4V
U7TJ3RhB+Iv4lTPJZaX0Kh+1SmoyYsIvpYT8uvuT58TzmzkNNlJUfWpPAKZMjPre
5lThLEJl5uarNEcqJN+SurputzTd3IC0ktIiNrG17tLpAemujmboA6slXR9UmOXs
m4NZFjc4aKFiqzFuLMvdY93sskNBNO2mN99BnkWE7w/ZsrR9COYNFT0J9aegZMyJ
B7iFpATAT0mI1ku9mJXPLiG8LMQXTAzVSFYD8yjUIu/dNqPh1xLboi0AqZlh4Udg
4oVXIJaAdSMPh5uB/Gqqi1mnh1VN1ugbVrHOcmfn+JnwNKT4L10mfnAJoA4F5Mcn
pwS9sT141Ndpgjp7W6fvvlWFLN4t26aBfJs3ffg/RQGydNXZc4pT5BbF48/llrS4
r/QYi5acrHk1Hrg3UZlG/wgEI/1ED7or3K//h2PPNH8QzO5VlCIPrbiWZFIQvXaT
/BUS0lYyAilpDXgXf20NhrJY5ie9+NafrgJNaHCDVef+fLklfPTXDXCT9qTny5M9
qjO1qKF4X7py3JguVQNjvtiWpJ7RHxQax4i3WJiN9uPuLB/4RayrP6CA0PTmPByN
pWyCk2m3Ji13vPW3J6Rwqjp43zHO3KcdpPu8JXIiKvghOIEKKB8qW78KSsOn0NNW
Qc9qalPBrDxmExaL8ecAi2JaYfM/RvxCZKEvsgK64cv8+BeP7VdVlf7ZJ7CSLkPO
NKo1GMYVBJwgF7ND2mCxmG1WMf+EqpsYNyD6BTfoRflKWqCUOTMt5vgY9m+MpV0K
j5dWyKVJSaikPJ3AvwdtXoM4P2ZtW4VwaOB35BlrBzFmgFp37KCC3E70FC5VmXav
jwm6yCfR5CYiFErcM4UOEH0iKgqtc3+QnHg=
=V4xh
-----END PGP MESSAGE-----

用路由器配置ezVPN client

By Kang on June 3, 2007 4:48 PM | No Comments | No TrackBacks

crypto ipsec client ezvpn ez
 connect manual 手动连接
 group vpngroup key groupkey 组名vpngroup,组密码groupkey
 local-address FastEthernet0/1 使用fa0/1发起连接
 mode client 使用客户模式
 peer 10.0.1.1 ezvpn服务器10.0.1.1
interface Loopback0
 ip address 9.9.9.9 255.255.255.0
 crypto ipsec client ezvpn ez inside 使用咯opback口模拟内部用户
interface FastEthernet0/1
 ip address 10.0.1.2 255.255.255.0
 crypto ipsec client ezvpn ez标记使用fa0/1发起vpn连接(outside)

配置完成后手动建立vpn连接:

R1#cry ipsec client ezvpn connect  建立连接
R1#crypto ipsec client ezvpn connect
EZVPN(ez): IPSec connection terminated
R1#crypto ipsec client ezvpn xauth 输入认证的用户名密码
Username: cisco
Password:

R1#show crypto ipsec client ezvpn 检查建立好的连接
Easy VPN Remote Phase: 2

Tunnel name : ez
Inside interface list: Loopback0
Outside interface: FastEthernet0/1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 7.7.7.1
Mask: 255.255.255.255

 

在PIX 7.2上配置ezVPN server

By Kang on June 3, 2007 12:36 PM | No Comments | No TrackBacks

1. 建立一个用户(vpn登录本地验证) username cisco password cisco

2.phase 1 制定ISAKMP策略
crypto isakmp enable outside 在outside接口上启用isakmp,默认isakmp是不启用的,这点与路由器不一样
crypto isakmp policy 10 建立isakmp策略
 authentication pre-share 预共享密钥验证
 encryption aes aes加密
 hash sha 使用sha1 hash校验
 group 2 使用DH group2
 lifetime 86400 有效期1天(默认)

3. "phase 1.5" 配置组
group-policy vpngroup internal 内部组策略
access-list sp extended permit ip 1.1.1.0 255.255.255.0 any建立一个用于标记流量分割的acl
group-policy vpngroup attributes 组策略
 vpn-tunnel-protocol IPSec 使用IPSec作为隧道协议
 split-tunnel-policy tunnelspecified 表示分割流量是acl明确标记出来的
 split-tunnel-network-list value sp acl名为sp的流量需要使用加密隧道传输
tunnel-group vpngroup type ipsec-ra 组vpngroup是ipsec remote access类型的
ip local pool localpool 192.168.1.1-192.168.1.100 建立一个地址池名为localpool
tunnel-group vpngroup general-attributes 针对该组的一般属性(地址、dns等)
 address-pool localpool 地址池使用名为localpool的
 default-group-policy vpngroup 该组使用的策略名叫做vpngroup
tunnel-group vpngroup ipsec-attributes 针对该组的ipsec属性
 pre-shared-key groupkey 共享密钥为"groupkey",配置好之后show run看到的共享密钥应该显示为"*"。

4.配置phase 2
crypto ipsec transform-set ts esp-3des esp-md5-hmac 建立一个转换集使用3des加密,md5验证
crypto dynamic-map dmap 10 set transform-set ts 建立一个动态map调用该转换集
crypto map cmap 1000 ipsec-isakmp dynamic dmap 建立一个静态map调用动态map dmap
crypto map cmap interface outside在接口上应用静态map cmap

 

配置路由器作为ezVPN服务器

By Kang on June 2, 2007 10:33 PM | No Comments | No TrackBacks
配置路由器作为ezVPN服务器
1.启用AAA
aaa new-model 启用AAA
aaa authentication login vpnauth local 建立一个叫做vpnauth的认证组使用路由器本地用户名密码做登录认证
aaa authorization network vpnauthor local 建立一个叫做vpnauthor的授权组用来给vpn拨入用户分配地址使用
username cisco password cisco 建立一个本地用户cisco密码为cisco作为vpn用户

2.配置phase 1
crypto isakmp policy 10
 encr aes 使用AES加密
 authentication pre-share 使用预共享密钥
 group 2  使用DH group2

3.配置"phase 1.5" (xauth)
crypto isakmp xauth timeout 10 设置xauth认证超时时间10秒
crypto isakmp client configuration group vpngroup 建立一个ezvpn的组,组名为vpngroup
 key groupkey 组密码为groupkey
 pool localpool针对改组分配ip的地址池为localpool
 acl lo 针对该组的split tunnel acl
crypto isakmp profile isapro 建立一个isakmp profile,使用profile的好处是可以针对不同的组采用不同的认证和授权策略
   match identity group vpngroup 该profile对应的组为vpngroup
   client authentication list vpnauth 针对客户端使用vpnauth进行认证
   isakmp authorization list vpnauthor 针对客户端使用vpnauth进行授权(针对该配置是地址的分配)
   client configuration address respond 回应客户端发起的地址请求,针对新版的cisco vpn client通常都使用respond方式
   keepalive 10 retry 3 保持10秒,最多重试认证3次
ip local pool localpool 9.9.9.1 9.9.9.10建立一个本地地址池

4.配置phase 2
crypto ipsec transform-set ts esp-aes esp-sha-hmac建立转换集使用aes加密和sha hash验证
!
crypto dynamic-map dmap 10 建立动态map
 set transform-set ts 调用转换集ts
 set isakmp-profile isapro 调用isakmp-profile
 reverse-route 当客户端拨入后在路由器上注入客户端的静态主机路由
!
!         
crypto map cmap 1000 ipsec-isakmp dynamic dmap 建立一个静态map并且调用刚建立的动态map dmap
在vpn拨入请求可能进入的接口上调用crypto map cmap

5.使用VPN客户端连接
组名使用vpngroup,组密码使用groupkey。用户名使用cisco,密码使用cisco。

PP告别106

By Kang on June 1, 2007 9:56 AM | No Comments | No TrackBacks

今天PP离开工作了快1年的106了。回想起1年前我们还都为未来困惑和迷茫,1年后PP通过自己的努力抓住了机会获得了一份足以让我羡慕的很不错的新工作。

PP的新生活开始了,我还在自己的路上慢慢的走着,好在已经不像一年前那样迷茫了。

1年前,3月16日发的图片,今天再次使用,谨以此纪念Penguin Partner在106生活的1年。

衷心祝愿PP能在新的工作岗位上完全发挥出自己的能力,生活幸福快乐。

一年前的P&PP

P&PP 

« May 2007 | Main Index | Archives | July 2007 »

轉換成繁體

ClustrMaps

Locations of visitors to this page

Tag Cloud

Recent Entries

Categories

Archives

Pages

Find Me Elsewhere

OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.37
Creative Commons License
This blog is licensed under a Creative Commons License.

January 2012

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Google Search

Google

About this Archive

This page is an archive of entries from June 2007 listed from newest to oldest.

May 2007 is the previous archive.

July 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Google ADs