The Cruft Of My Brain » Cruft

Anyconnect for iPhone???

scott — Tue, 13 Jul 2010 13:46:32 +0000

It’s now a month or so after the release of iOS4 and the Cisco Anyconnect Secure Mobile Client for iPhone is nowhere to be found. What’s up Cisco??? I want my Anyconnect!

And anyone believes they’ll actually ship the Cius? HA!

iPhone VPN and Cisco IOS, Part2

scott — Wed, 05 May 2010 15:58:52 +0000

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization network sdm_vpn_group_ml_2 local


crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2
crypto isakmp client configuration group mygroupname

 key something_goes_here

 dns 192.168.x.x

 pool SDM_POOL_2

 include-local-lan

 netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group mygroupname

   client authentication list sdm_vpn_xauth_ml_2

   isakmp authorization list sdm_vpn_group_ml_2

   client configuration address respond

   virtual-template 2
crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

 set transform-set aes-transform

 set isakmp-profile sdm-ike-profile-1
class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
policy-map type inspect sdm-permit

 class type inspect SDM_EASY_VPN_SERVER_PT

  pass

 class class-default
zone security ezvpn-zone
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip
interface Virtual-Template2 type tunnel

 ip unnumbered FastEthernet0

 zone-member security ezvpn-zone

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile1
ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any

iPad…Nuff said

scott — Sat, 03 Apr 2010 19:46:59 +0000

Yup…did it. In fact I’m typing this on the new iPad specific wordpress app and I love it!!! The keyboard in landscape mode is very nice and I can type very quickly. I think it might drive some bad habits with all of the autocorrection and not capitalizing first letters but I can get over that.

My first impression after unboxing was “this is a big iPhone”. After putting on some iPad specific apps, that made all the difference. The bigger format really is something special.

Now, anyone know if it would be possible to write a driver to allow a Bluetooth connection to the iogear bluetooth serial adapter? This would be great for data center work!!!

Breadboard Arduino with FTDI cable and no reset button

scott — Mon, 15 Mar 2010 16:04:42 +0000

So, here’ my coming out for the other project I’ve been working on lately. Learning about Arduino’s. More later about why I’m doing this but for now…

I got a regular Duemilanove from Adafruit a couple of weeks ago. These things are so nice that they include all of the basic necessary components like the USB to RS232, the automatic voltage input switching, pin headers etc. I’ve been fiddling with that and learning some of how it works. I wanted to get a second for the purposes of having the two Arduino’s talk to each other. Naturally I decided to do this the harder way and assemble one on a breadboard.

This is actually pretty simple. The components you need are the Arduino flashed Atmega328p, a voltage regulator for getting your power source to a steady 5v, a clock source and a programming method. A couple of LED’s are good for power and the pin13 status. Based on several resources around the web including:

http://www.flickr.com/photos/34908673@N00/4042185019/sizes/l/
http://arduinofun.com/blog/2009/10/15/breadboard-arduino/

I’ve managed to get my Boarduino up and running without the use of a reset button and hopefully with a few extra rows available on my breadboard. I’m using an FTDI cable from Adafruit since I had to pick one up for the XBee modules I got. Yes, more to come on that as well. The FTDI cable includes the chip for USB to RS232 conversion but it does not pull out the DTS pin. Thankfully Arduino supports auto-reset using the RTS pin. I had to struggle a bit to figure out why it wasnt’ working but the fix was pretty simple. You need to enable “Set RTS on Close” on the serial port that’s tied to the cable. Check out the LadyAda article for more details:

http://www.ladyada.net/make/boarduino/use.html

From Arduino projects

Checkpoint doesn’t support Proxy-Arp???

scott — Wed, 03 Feb 2010 17:12:44 +0000

Say whaaaatttt???????? Ok, so you have a Checkpoint firewall with a whole lotta NATed addresses. The router won’t find these NATed addresses though unless you go through a painful procedure to enable proxy-arp on the Checkpoint or you have to add static host entries to the router pointing to the interface IP on the Checkpoint.

What year is this because I seem be in the 90′s.

I know some people really love Checkpoint but every exposure I’ve had has left me scratching my head wondering if they could have done things any more atypically.

So yes, Checkpoint administrators, have no fear. The router jockeys will fix your broken crap again.

HP TC1100 and the iPad

scott — Sat, 30 Jan 2010 20:17:39 +0000

I’ve had a TC1100 for a while now. I just decided to get a new battery since the old one wouldn’t hold any charge. So as I sit here using it with Win7 it occurs to we that this is pretty much the exact same size as the iPad. Sure its a little thicker but the screen is the same. Even down to the bezel. So whats different? For one thing this requires a pen. This is a good thing and bad. The handwriting recognition isn’t too bad but I do have to fix things sometimes. Plus everything requires the pen. Sometimes it would be nice to just flick something with my finger. So, despite being a really cool form factor I can see how the iPad would be alot easier to use.The lack of camera really annoys me but maybe I can live without that after all. maybe…

Fixing a weird Cisco syntax error

scott — Sun, 24 Jan 2010 07:56:30 +0000

Ran across this tonight. Someone had entered a prefix-list with the name “at&amp ;t” instead of “at&t” (wordpress didn’t like it either so I added the space between the p and the ; but they should really be together.

Oddly enough, IOS wouldn’t allow the bad line to simply be deleted. The “;” had to be removed so that the no command included “at&ampt”

Probably some sort of a regex problem or an ascii escape character but it’s still kind of strange.

Cisco IPS doesn’t like ICMP redirects

scott — Tue, 05 Jan 2010 16:19:02 +0000

I’ve been trying to figure out why a pair of Cisco IPS (AIP-SSM in this case) wouldn’t auto-update signature files or connect to the new Global Correlation feature. The management interfaces were located on a subnet that was between the firewall and the internal L3 switch. The internal LAN’s are on the other side of the switch.

I’ve known for a long time that Cisco ASA’s don’t support sending ICMP redirects. Because of this the IPS’s default gateway couldn’t be set to the FW interface. If I did that they would never be redirected to reach the internal networks. I’ve never had a problem with IOS doing ICMP redirects though, so the IPS’s have been using the switch VLAN interface as the default gateway. The switch sends ICMP redirects when the IPS needs to get out to the internet and the traffic goes direct to the firewall.

Except it doesn’t. I could swear it did at one time in the past. Either my memory is faulty or an image update on the IPS broke it. Now, it seems the IPS tosses ICMP redirects. My guess is it worries about man in the middle attacks and and ICMP redirect is a possible sign of that. So even though the switch is doing the correct thing the IPS disregards it.

Moved the IPS management interface to one of the internal LAN’s and all is happy now.

Microsoft X5 mouse and Snow Leopard

scott — Sat, 19 Dec 2009 15:50:33 +0000

Seems they don’t play well together. Sure, basic mouse functions work, including the scroll wheel. All of the extra buttons don’t seem to work at all though. I’ve been keeping an eye out for drivers and nothing yet. Also, I have yet to find anyone else crying about this. It seems strange to me that I’d be the only one with a nice Microsoft gaming mouse on OS X.

Sometimes Cisco makes me laugh

scott — Fri, 04 Dec 2009 18:20:37 +0000