Wow…4+ years later and I’m finally posting part 2. Yep, the original config didn’t work quite right but I did get it working. Here’s the result:

On the Cisco switch:
interface Port-channel98
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet8/5
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 98 mode on


On the Extreme switch:
enable sharing 1:1 grouping 1:1,1:2,1:3,1:4 algorithm port-based
configure vlan "out_of_band" ipaddress
configure vlan "out_of_band" add port 7:1 untagged
configure vlan "out_of_band" add port 1:1 tagged

out_of_band was used for testing. I put a PC on port 7:1 on the Extreme switch to make sure I could get to a PC on the Cisco switch.

Turns out I did full documentation on the test process and actually kept the doc! I was amazed! My notes suggest the only delay was when re-connecting ports that are part of the group they would not start forwarding for about 3 seconds. Otherwise it worked great!

Got PIAF purple installed and patched over the weekend. Setting up two of the 1535s to register and do video calling was pretty trivial. There’s a little bit of lag in the video but it’s not too bad. I also called the test numbers and there was no problem with the audio quality. Nice and sharp without drops, latency or jitter. This is running in VirtualBox with the extensions installed on a Pentium dual core. I’ve assigned 1gb of ram to the VM.

To turn on the video capability you have to add the following to sip_extensions_custom in the asterisk directory:


Don’t forget to reload the configs!

Next up is getting Google Voice to work.

Wow, it’s been a while. I scored some of the Nortel IP 1535’s thanks to NerdVittles and this gives me a good opportunity to try to upgrade my Asterisk system to the latest and greatest version. Naturally I want to go with PIAF and they just patched to Asterisk 1.8. I’ve considered using the Incredible PBX build but I don’t think I need all that stuff so I’m going to try straight PIAF first and see if I can get the Google Voice parts working at least.

First up, I’ve installed it in VirtualBox. Now, I’m concerned that there might be a stuttering problem because it’s virtualized. No way to know until I get a phone online. I’m hoping this will help but I installed the VB additions. It was relatively painless following the steps at if (!1) 0 with the exception of changing the kernel version to match. Rebooted and it looks ok so far.

More to come as I get phones online.

That’s a mouthful. I’ve been having a hard time figuring out how to successfully transfer images to the Standby ASA’s flash from the Active’s CLI. Finally figured it out. Here’s the syntax:

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

It’s now a month or so after the release of iOS4 and the Cisco Anyconnect Secure Mobile Client for iPhone is nowhere to be found. What’s up Cisco??? I want my Anyconnect!

And anyone believes they’ll actually ship the Cius? HA!

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2

crypto isakmp client configuration group mygroupname
key something_goes_here
dns 192.168.x.x
pool SDM_POOL_2
crypto isakmp profile sdm-ike-profile-1
match identity group mygroupname
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2

crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set aes-transform
set isakmp-profile sdm-ike-profile-1

class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
class class-default

zone security ezvpn-zone

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip

interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any

Yup…did it. In fact I’m typing this on the new iPad specific wordpress app and I love it!!! The keyboard in landscape mode is very nice and I can type very quickly. I think it might drive some bad habits with all of the autocorrection and not capitalizing first letters but I can get over that.

My first impression after unboxing was “this is a big iPhone”. After putting on some iPad specific apps, that made all the difference. The bigger format really is something special.

Now, anyone know if it would be possible to write a driver to allow a Bluetooth connection to the iogear bluetooth serial adapter? This would be great for data center work!!!

Seems my original post about the AnyConnect Essentials license is still quite popular. So why not capitalize on that! 🙂

The license does work as advertised. It’s a replacement for the IPSEC based client that Cisco seems to have stopped development on. I’ve been using it in numerous situations and it works great!

I just have a funny situation though where my client was exploring alternatives to Cisco. We got pricing for a couple of competitors including Sonicwall and Juniper and let me tell you…whoo-boy! I guess the others haven’t felt compelled to follow Cisco’s lead and they are still charging ridiculous sums for the SSL VPN clients. Of course there were howls of protest about how their clients did so much more and that if you wanted the same level of functionality you had to pay for Cisco’s full SSL VPN solution. All true, but who cares????

I want a simple client based SSL VPN to replace the IPSEC clients of old. I don’t need all the fancy clientless stuff. I suspect that’s true for a lot of customers. Cisco’s pricing strategy for the AnyConnect Essentials is smart not just because they don’t want to continue to develop the IPSEC client but because it drives business away from their competitors.

Cisco, your choice in focus these days mostly pisses me off but this is a real winner. A small bright spot in an otherwise dreary path you’ve taken. Now, if you could find a way to ship ASA’s before the summer I’d be happy.

So, here’ my coming out for the other project I’ve been working on lately. Learning about Arduino’s. More later about why I’m doing this but for now…

I got a regular Duemilanove from Adafruit a couple of weeks ago. These things are so nice that they include all of the basic necessary components like the USB to RS232, the automatic voltage input switching, pin headers etc. I’ve been fiddling with that and learning some of how it works. I wanted to get a second for the purposes of having the two Arduino’s talk to each other. Naturally I decided to do this the harder way and assemble one on a breadboard.

This is actually pretty simple. The components you need are the Arduino flashed Atmega328p, a voltage regulator for getting your power source to a steady 5v, a clock source and a programming method. A couple of LED’s are good for power and the pin13 status. Based on several resources around the web including:

I’ve managed to get my Boarduino up and running without the use of a reset button and hopefully with a few extra rows available on my breadboard. I’m using an FTDI cable from Adafruit since I had to pick one up for the XBee modules I got. Yes, more to come on that as well. The FTDI cable includes the chip for USB to RS232 conversion but it does not pull out the DTS pin. Thankfully Arduino supports auto-reset using the RTS pin. I had to struggle a bit to figure out why it wasnt’ working but the fix was pretty simple. You need to enable “Set RTS on Close” on the serial port that’s tied to the cable. Check out the LadyAda article for more details:

From Arduino projects
From Arduino projects
From Arduino projects

Say whaaaatttt???????? Ok, so you have a Checkpoint firewall with a whole lotta NATed addresses. The router won’t find these NATed addresses though unless you go through a painful procedure to enable proxy-arp on the Checkpoint or you have to add static host entries to the router pointing to the interface IP on the Checkpoint.

What year is this because I seem be in the 90’s.

I know some people really love Checkpoint but every exposure I’ve had has left me scratching my head wondering if they could have done things any more atypically.

So yes, Checkpoint administrators, have no fear. The router jockeys will fix your broken crap again.