Saturday, August 10, 2013

Cisco IOS on UNIX (IOU) - Installing and Running (Lite)

Cisco IOS on UNIX (IOU) is a fully working version of IOS that runs as a user mode UNIX/LINUX process. IOU is built as a native system image and run just like any other program. IOU supports all platform independent protocols and features.

With regard to functionality, it is very similar to GNS3 but it does not require nearly the resources that several virtual routers running under dynamips does.
IOU allows you to build out a network topology on a single PC without the need for physical routers. This is useful for validating network designs, proof-of-concept testing, and certification self-study.

Legal Warnings

If you are not an authorized Cisco employee (or trusted partner), usage of Cisco IOU is prohibited. From an old, internal-only Cisco web page:
Cisco IOS on Unix is a tool intended for internal use only. Distribution of IOU images to customers or external persons, or discussion of IOU with customers or external persons, is prohibited. Don’t do it or we’ll have to come and kill you.
Cisco IOU, just like IOS, is copyrighted software that belongs to cisco Systems, Inc. Distribution of copyrighted software is a federal crime in the United States. I cannot speak regarding the laws of other countries.
In addition, any requests for Cisco IOU images in the comments section of this blog will be deleted, regardless if distribution is legal in your country.
 
Installing and Running IOU

Checking the Distro
$ cat /etc/issue
Ubuntu 11.04 \n \l


Checking the CPU
$ uname -a
Linux ltsp180 2.6.38-13-generic #55-Ubuntu SMP Tue Jan 24
15:34:24 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux


Installing 32 bit Libs on a 64 bit Distro
$ sudo apt-get install ia32-libs

Installing BBE
$ sudo apt-get install bbe

OR

http://packages.ubuntu.com/
- Your distro | Editors | BBE

Download the file (bbe\_0.2.2-1\_i386.deb)
And install it manually

$ sudo dpkg -i bbe_0.2.2-1_i386.deb

Installing and Linking the "libcrypto" Library
You either do not have libssl installed or your version is much newer than what Cisco has linked against when building the IOU images.
First, ensure that libssl is installed. On Debian and Ubuntu:

$ sudo apt-get install libssl0.9.8
Next, youll need to make a symbolic link pointing to the "libcrypto.so.4" file that IOU is looking for.

On 32-bit distros:
$ sudo ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.4

On 64-bit distros:
$ sudo ln -s /usr/lib32/libcrypto.so.0.9.8 /usr/lib32/libcrypto.so.4

NETMAP File
The network topology map, or NETMAP, file describes the topology of your virtual network. It is used for controlling the layout of the virtual cabling. If you have used dynagen, this is the equivalent of the .net file.

NETMAP
----------------

100:0/0 200:0/1

The above netmap file means that you are connecting port 0/0 of router 100, to port 0/1 of router 200:

[Router 100]--Ethernet 0/0------Ethernet 0/1--[Router 200]

Checking the Hostname For the "iourc" File
$ hostname -s
chaos


The "iourc" File
iourc
-------------------------
[license]
chaos = 4C5556554353434F;


The IOURC file is a configuration file for Cisco IOU. Cisco IOU looks in this file for your license key at startup.

Note: The method below for patching the IOU image for your machine's hostname, implies that, the license is "4C5556554353434F" and the only change is the hostname.

Giving Execution Permitions to the IOU Image
$ chmod +x i86*

Executing the IOU Image For Router 100 - Non Patched
$ ./i86bi_linux-adventerprisek9-ms.151-4.M 100
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
IOU License Error: invalid license
License for key 7f030f required on host ?chaos?.
Obtain a license for this key and host from the following location:
http://wwwin-enged.cisco.com/ios/iou/license/index.html
Place in your iourc file as follows (see also the web page
for further details on iourc file format and location)
[license]
chaos = <16 char license>;
This attempt didn't work because the IOU image hasn't been patched for your hostname

Patching IOU Image For Key "4C5556554353434F"

$ for F in i86bi_linux-*;do bbe -b "/\xfc\xff\x83\xc4\x0c\x85\xc0\x75\x14\x8b/:10"
-e "r 7 \x90\x90" -o $F.x $F;mv $F.x $F;done;chmod +x ./i86bi_linux-*

Note: This works for the following IOU images (didn’t worked for Layer 2 Images):

  • i86bi_linux-adventerprisek9-ms
  • i86bi_linux-ipbase-ms
For the i86bi_linuxl2-upk9-ms, you need to use something like IOUGEN.

Executing the IOU Image For Router 100 - Patched IOU
$ ./i86bi_linux-adventerprisek9-ms 100
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0 is not connected to anything
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M),
Version 15.1(4)M, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 25-Mar-11 16:44 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Warning: the compile-time code checksum does not appear to be present.
Linux Unix (Intel-x86) processor with 140260K bytes of memory.
Processor board ID 2048042
8 Ethernet interfaces
8 Serial interfaces
64K bytes of NVRAM.

Executing the IOU Image For Router 200 - Patched IOU
$ ./i86bi_linux-adventerprisek9-ms 200
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers. To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************
Port 0 is not connected to anything
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M),
Version 15.1(4)M, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 25-Mar-11 16:44 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Warning: the compile-time code checksum does not appear to be present.
Linux Unix (Intel-x86) processor with 140260K bytes of memory.
Processor board ID 2048042
8 Ethernet interfaces
8 Serial interfaces
64K bytes of NVRAM.
If you dont need/want to have access to the equipments via network (telnet) this is enough, for you, add a couple more equipments and connections to the NETMAP file you are good to go.

IOU Image Options
./i86bi_linux-adventerprisek9-ms
Usage: <image> [options] <application id>
<image>: unix-js-m | unix-is-m | unix-i-m | ...
<application id>: instance identifier (0 < id <= 1024)
Options:
-e <n> Number of Ethernet interfaces (default 2)
-s <n> Number of Serial interfaces (default 2)
-n <n> Size of nvram in Kb (default 16KB)
-b <string> IOS debug string
-c <name> Configuration file name
-d Generate debug information
-t Netio message trace
-q Suppress informational messages
-h Display this help
-C Turn off use of host clock
-m <n> Megabytes of router memory (default 128MB)
-L Disable local console, use remote console
-u <n> UDP port base for distributed networks
-R Ignore options from the IOURC file
-U Disable unix: file system location
-W Disable watchdog timer
-N Ignore the NETMAP file

NVRAM Files
The IOU instances on the above example created the following files:
  • nvram_00100 -->Router 100
  • nvram_00200 -->Router 200

as you migth recall the nvram, is the were the startup-config is stored so these files are more or less the startup config for router 100 and 200.

If you type:
$ cat nvram_00100
????
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router100
!
boot-start-marker
boot-end-marker
<...>
you can see the startup-config, plus a bit off jiberish.

TSHOOT - Cisco IOU Error Messages

  • What does ``UNIX ERR:tcgetattr:Invalid argument''mean? Im not sure, honestly, but it doesnt seem to hurt anything or cause any loss of functionality. It appears that it can be safely ignored.
  • i86bi_linux_adventerprisek9-ms: No such file or directory Youre probably running a 64-bit version of Linux. On Debian and Ubuntu, installing the ia32-libs package will fix this for you (for other distros, youre on your own):

$ sudo apt-get install ia32-libs

  • i86bi_linux_adventerprisek9-ms: error while loading shared libraries You either do not have libssl installed or your version is much newer than what Cisco has linked against when building the IOU images.
First, ensure that libssl is installed. On Debian and Ubuntu:
$ sudo apt-get install libssl0.9.8
Next, youll need to make a symbolic link pointing to the libcrypto.so.4 file that IOU is looking for.

On 32-bit hosts:
$ sudo ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.4

On 64-bit hosts:
$ sudo ln -s /usr/lib32/libcrypto.so.0.9.8 /usr/lib32/libcrypto.so.4
  • Im getting a host not found in iourc file error message. Use the correct hostname in your IOURC file. See above.
  • How can I Add an NM-16ESW module? You cant.
  • Oh, come on! There Must be Some Way to add ATM or NM-16ESW modules! Nope.
  • Wrapper-linux: No such file or directory error message.
Provide the correct path to the IOU image as the -m option. If it is in the current directory, refer to it as ./i86bi_linux-adventerprisek9-ms, for example.
  • Ive tried everything and I cant get it to work. What should I do? Use GNS3 instead.
  • Will you send me a copy ? No. In addition, if you post any comments below asking for or offering IOU images, they will be deleted whenever I see them.
 
 

Wrapping the IOU Image Execution for Telnet Access

Wrapper - What it is And How It Works
When you start up an IOU router from the command-line, it will stay in the foreground and youll be connected to the console. This may not always be the desired behavior, especially if you wish to telnet to the console from another host on the network (similar to dynamips).
The wrapper program can be used to redirect a TCP port to the console of the router so that you can do exactly this.

How do I use the Wrapper
$ ./wrapper
Usage: ./wrapper [-v] -m<image name> -p<port number> -- [iou options] <router ID>
where <port number> is in the range <1024-65550>
all options after the '--' are passed to iou
[-v] Display version

For example, instead of just running ./imagename <application id>, you would use something like this:

$ ./wrapper -m ./imagename -p 2000 -- -e0 -s1 -m 64 100

This would instruct the wrapper to startup the IOU image named ./imagename and listen on TCP port 2000. Any options after the double-hyphen (-) are passed off to the IOU image so, in this case, our IOU instance would start up with zero Ethernet interfaces (-e0), one serial interface (-s1), which actually means four serial interfaces in newer images, due to a feature called “Wide Port Adapters'', and 64 MB of RAM (-m 64).

The “Application ID”, which we'll use to refer to this instance in the NETMAP file (see above), is 100.
The wrapper is most useful in a shell script to start up and background a number of IOU instances at once. For a complete example showing a NETMAP file and a corresponding shell script to startup all IOU instances, see my article iou2net.pl, an IOUlive replacement:

  • http://evilrouters.net/2011/09/22/iou2net-pl-ioulive-replacement-netmap-startup-script/

Stopping the IOU's When Using the Wrapper
If you are using the wrapper and have background the IOU instances, you'll need to find the process ID of the instance you want to stop and use the kill command.
To see all of your running IOU instances, use this command:
$ ps -ef | grep [w]rapper

Find the instance you want to stop and pass the corresponding process IDs to the kill command.
To stop all running IOU instances in a single fell swoop, use the following:
$ ps -ef | grep [w]rapper | awk '{ print $2 }' | xargs kill

Executing the IOU Image For Router 100 - via Wrapper
$ ./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2100
-- -e3 -s3 -m 128 -n 16 100 > /dev/null 2>&1 &


Command Dissected:
-m ./i86bi_linux-adventerprisek9-ms - Wrapped IOU Image
-p 2005 - Wrapper's telnet port for remote access
-- - IOU image options
-e3 - 3 ethernet interfaces (in some IOU is 3x4)
-s3 - 3 ethernet interfaces (in some IOU is 3x4)
-m 128 - Megabytes of router memory (default 128MB)
-n 64 - Size of nvram in Kb (default 16KB)
100 - IOU router id on the NETMAP file > /dev/null 2>&1 - Redirecting the STDOUT and STDERR into the null file (blackhole)
& - Running the wrapper in background

$ telnet localhost 2100
Trying 127.0.0.1?
Connected to localhost.
Escape character is ?^]?.
?- System Configuration Dialog ?-
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer ?yes? or ?no?.

Executing the IOU Image For Router 200 - via Wrapper
$ ./wrapper-linux -m ./i86bi_linux-adventerprisek9-ms -p 2200 -- -e3 -s3 -m 128 -n 16 200 > /dev/null 2>&1 &

Command Dissected:
-m ./i86bi_linux-adventerprisek9-ms - Wrapped IOU Image
-p 2005 - Wrapper's telnet port for remote access
-- - IOU image options
-e3 - 3 ethernet interfaces (in some IOU is 3x4)
-s3 - 3 ethernet interfaces (in some IOU is 3x4)
-m 128 - Megabytes of router memory (default 128MB)
-n 64 - Size of nvram in Kb (default 16KB)
100 - IOU router id on the NETMAP file > /dev/null 2>&1 - Redirecting the STDOUT and STDERR into the null file (blackhole)
& - Running the wrapper in background

$ telnet localhost 2100
Trying 127.0.0.1?
Connected to localhost.
Escape character is ?^]?.
?- System Configuration Dialog ?-
Would you like to enter the initial configuration dialog? [yes/no]:
% Please answer ?yes? or ?no?.

Note: This example is same as the one above but via wrapper and some IOU options.

 

Connecting IOU to the Real World

The are several options: 

 

Graphical Interfaces

There are at least two that I know about:

 

Now IOU is supported on GNS3, check out how to set it up here:

 

Based On:

Customize Your Windows 8 Installation Disc

Customize Your Windows 8 Installation Disc and Slipstream Updates With WinReducer

windows-8-installation-disc

Windows installation disc-customizing tools are always useful. They allow you to add Windows updates to your installation media, streamline the installation process by filling in your product key and other information, and customize Windows’ default settings.

We previously covered RT Se7en Lite for Windows 7, and WinReducer works similarly for Windows 8. Both tools work similarly to the nLite tool for Windows XP — WinReducer is like an nLite for Windows 8.

Setup

First, download WinReducer 8. This software is technically in beta at the moment because of how new Windows 8 is, but it worked fine for us. That said, WinReducer includes a warning that it shouldn’t yet be used for production purposes. It’s okay to experiment with it on your own, but don’t use it to customize an entire organization’s mission-critical Windows 8 installer discs just yet.

Launch WinReducer after extracting it and you’ll immediately see an error message. The message tells you you’ll have to manually download certain tools that WinReducer requires — click OK to continue.

Click the Download links to visit each program’s website and download the appropriate software. Just download the software and install it as you normally would, then click each check box and point WinReducer at each installed program’s .exe file. ImageX and osdimg are both included in the same package, so you only really have to download four different tool packages. This is the most tedious part of the process — it’s smooth sailing after this.

You’ll next have to copy the contents of a Windows 8 installation disc to a folder on your computer and point WinReducer at that folder. You can also click the Extract an ISO box and point WinReducer at the ISO file — it will automatically extract the ISO file to a temporary folder.

After pointing WinReducer at the Windows 8 installation files, select the edition of Windows 8 you’ll be using and click the Mount button.

WinReducer will read the data from your Windows 8 installation files and then you can get started.

Minimizing Your Installation Media

As its name suggests, WinReducer is focused on reducing the size of your Windows 8 installation disc by removing components from it. This is possible — for example, you could remove the default Modern apps, language files you don’t use, and various other things. You should be extra careful if you start removing stuff — you could easily remove too much and cause problems with your resulting Windows system.

We don’t recommend removing things — sure, you could shrink your ISO image, but either way it would fit on a DVD. You could perhaps fit it on a smaller USB drive, if you’re lucky. The resulting Windows system may use less space when you install it, but the difference shouldn’t be significant.

Customization

The options on the Customization tab are more interesting. On the Appearance tab, you can set a custom background you’ll see during the installation process and also set a custom desktop wallpaper, lock-screen background, theme, and system properties logo that you’ll see on the installed system. Other tabs allow you to customize Internet Explorer 10, including setting a different home page and changing a variety of its settings.

Slipstreaming Updates

On the System tab, you’ll find options for integrating drivers and updates. This process of integrating updates is known as “slipstreaming.” It saves you time later by integrating Windows updates with the installation media, so you won’t have to install them after installing Windows. To start slipstreaming updates, click the Updates checkbox and choose a folder for your updates.

Click the Update Download Tool button and use the integrated tool to download the Windows 8 updates to your computer. They’ll be integrated into your Windows 8 installation media when you create the media.

Unattended Installation Options

WinReducer allows you to set up unattended Windows installation options. These allow your Windows installation media to automatically select various options. For example, you can have the Windows installation process automatically accept the EULA, select your preferred language, and enter your serial number — your serial key will be inserted directly into your Windows installation image.

If you opt to integrate your serial number, be sure you only use your Windows 8 installation media for a single computer or you’ll be violating the Windows license agreement. You’ll also run into issues activating Windows 8 if you use the same key on multiple systems.

Other tabs here allow you to set up your final Windows installation setup, including automatically creating user accounts and selecting passwords, enabling autologin, and selecting a computer name.

Creating Your Installation Media

Once you’re done configuring your Windows 8 installation media, click the button on the Apply tab to create your customized ISO file.

You can then burn the resulting ISO file to a disc or copy it to a USB drive the same way you’d create a Windows 8 USB drive from a standard Windows 8 ISO image. The resulting installation media will work just like standard Windows 8 installation media, but will be customized with all the options you chose.


Before installing your customized Windows installation disc onto a standard computer, you may want to test by installing it on a virtual machine created by VirtualBox or VMware Player. WinReducer is still in beta, so it’s a good idea to be careful and double-check everything worked properly.

Taken From: http://www.howtogeek.com/169522/customize-your-windows-8-installation-disc-and-slipstream-updates-with-winreducer/

Saturday, July 27, 2013

Cisco IPsec Configuration

by Priscilla Oppenheimer

This example annotates the configuration of two Cisco routers configured to send encrypted traffic across an IPsec tunnel. Following the annotations are some explanations of Cisco show commands that are useful when troubleshooting IPsec. The two routers are connected via Frame Relay. Each router also has a Fast Ethernet interface where end nodes reside, as shown in the following figure. The end nodes' traffic will be encrypted when traversing the IPsec tunnel.
clip_image001
R1 Annotated Configuration
R1's configuration is shown below. Annotations start with !---- and are in blue.
R1#show run
Building configuration...
Current configuration : 1907 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
!

!---- The IPsec configuration starts with configuring the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is a framework for authentication and key exchange. Cisco uses Internet Key Exchange (IKE) which is derived from ISAKMP. IKE establishes a shared security policy and authenticated keys for IPsec to use.
First we create Policy 1. Then we say that we'll use MD5 to hash the IKE exchange, though we could use SHA (the Cisco default). We'll use DES to encrypt IKE, though we could use AES. (Because DES is the default it doesn't show in the configuration.)
We could use a Certificate Authority (CA) for authentication, but for our example we will manually enter a pre-shared key into each router. We will use "MyKey" for the key.
We also provide the address of our peer, 10.102.0.2. ----!

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key MyKey address 10.102.0.2
!
!---- Next, we create an IPsec transform set that we call MySet. We specify the authentication protocol for the IPsec Authentication Header (AH) and we specify the encryption protocol for the IPsec Encapsulating Security Payload (ESP). These don't have to be the same proocols that IKE uses. In fact, we'll use SHA for authentication and AES-256 for encryption.----!
crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256
!
!---- You can't expect Cisco to make anything easy! So next we create a crypto map, called MyMap, with sequence number 1. (A crypto map can be a collection of entries, each with a different sequence number, though we'll just use one entry.) The ipsec-isakmp argument tells the router that this map is an IPsec map. We tell the router about its peer (10.102.0.2) yet again and we set the security-association (SA) lifetime.

We will use 190 seconds for the SA lifetime because Cisco examples use 190. It seems too short but there's a tradeoff. If you make it too long you risk attackers being more successful. If you make it too short, the routers have to do more work to renegotiate the SA more often. The default is based on a global command that affects all maps and is 3600 seconds (one hour).
Our crypto map points to our MySet transform set. It also references access-list 101, which is later in the configuration and specifies which traffic will be encrypted. ----!

crypto map MyMap 1 ipsec-isakmp
set peer 10.102.0.2
set security-association lifetime seconds 190
set transform-set MySet
match address 101
!
interface FastEthernet0/0
ip address 10.1.0.1 255.255.0.0
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
!
!---- Here we apply our crypto map to the interface that will be sending the encrypted traffic. The interface is a Frame Relay sub-interface with DLCI 102 that connects to our peer at the other end. Our address is 10.102.0.1. (Our peer is 10.102.0.2 as we've already seen.) ----!

interface Serial1/0.102 point-to-point
ip address 10.102.0.1 255.255.0.0
frame-relay interface-dlci 102  
crypto map MyMap
!
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
!
no ip http server
no ip http secure-server
!

!---- Access list 101 specifies which traffic will use IPsec. Note that access-list 101 is referenced in the crypto map statement for MyMap above. ----!

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
R1#   
R2 Annotated Configuration
R2's configuration is shown below. Annotations start with !---- and are in blue. Notice that R2 needs fewer annotations. It needs to match R1 so they will act like nice peers and not fight with each other.

R2#show run
Building configuration...
Current configuration : 1894 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
!
!---- Here we configure ISAKMP (IKE) as we did on R1. Note that for R2, we use 10.102.0.1 (R1) for our peer. ----!


crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key MyKey address 10.102.0.1
!

!---- Next, we create an IPsec transform like we did on R1.  ----!
crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256
!

!---- Here's our map that points to our peer (R1) and references access list 101.  ----!


crypto map MyMap 1 ipsec-isakmp
set peer 10.102.0.1
set security-association lifetime seconds 190
set transform-set MySet
match address 101
!
interface FastEthernet0/0
ip address 10.2.0.1 255.255.0.0
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
frame-relay lmi-type ansi
!
!---- Add the crypto map to the interface that connects back to R1.  ----!
interface Serial1/0.201 point-to-point
ip address 10.102.0.2 255.255.0.0
frame-relay interface-dlci 201  
crypto map MyMap
!
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
!
no ip http server
no ip http secure-server
!

!---- As we did on R1, we define an access list to specify which traffic will use IPsec. The access-list is referenced in the crypto map statement for MyMap above. ----!

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!
end
R2# 
R2 Show Commands
Once you have configured the router peers, a variety of show commands will help you verify that the security associations are live and the traffic is being encrypted.

!---- The show crypto session command lets us verify that the IKE session is active. Notice that we're talking to our peer via UDP port 500, the port for IKE. ----!

R2#show crypto session
Crypto session current status
Interface: Serial1/0.201
Session status: UP-ACTIVE    
Peer: 10.102.0.1 port 500
  IKE SA: local 10.102.0.2/500 remote 10.102.0.1/500 Active
  IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0
        Active SAs: 4, origin: crypto map

!---- The show crypto isakmp policy command tells us more than we ever wanted to know about our IKE session. ----!

R2#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

!---- The show crypto map verifies our IPsec status. We aren't using Perfect Forward Secrecy (PFS) as we don't need that extra protection from evil-doers. ----!

R2#show crypto map
Crypto Map "MyMap" 1 ipsec-isakmp
        Peer = 10.102.0.1
        Extended IP access list 101
            access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
        Current peer: 10.102.0.1
        Security association lifetime: 4608000 kilobytes/190 seconds
        PFS (Y/N): N
        Transform sets={
                MySet,
        }
        Interfaces using crypto map MyMap:
                Serial1/0.201

!---- The show crypto ipsec transform-set verifies our IPsec status and shows that we're using tunnel mode (rather than transport mode). Tunnel mode is appropriate for a router-to-router configuration as opposed to an end node talking to another end node. ----!

R2#show crypto ipsec transform-set
Transform set MySet: { ah-sha-hmac  }
   will negotiate = { Tunnel,  },
   { esp-256-aes  }
   will negotiate = { Tunnel,  },

!---- The show crypto ipsec sa command shows identity information and packet counts and then displays information about all our security associations (SAs) . Notice that there's an inbound SA and an outbound SA for both authentication (AH) and encryption (ESP). The inbound and outbound Payload Compression Protocol (PCP) SAs aren't active, but the others are. They became active because a PC connected to R1's Fast Ethernet interface pinged a PC connected to R2's Fast Ethernet interface. Each SA is identified by a unique security parameter index (SPI). ----!

R2#show crypto ipsec sa               
interface: Serial1/0.201
    Crypto map tag: MyMap, local addr 10.102.0.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   current_peer 10.102.0.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0
     local crypto endpt.: 10.102.0.2, remote crypto endpt.: 10.102.0.1
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0.201
     current outbound spi: 0x8590D11F(2240860447)
     inbound esp sas:
      spi: 0xFDC7B87B(4257724539)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: MyMap
        sa timing: remaining key lifetime (k/sec): (4565647/146)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
      spi: 0x11B79D1C(297245980)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: MyMap
        sa timing: remaining key lifetime (k/sec): (4565647/140)
        replay detection support: Y
        Status: ACTIVE
     inbound pcp sas:
     outbound esp sas:
      spi: 0x8590D11F(2240860447)
        transform: esp-256-aes ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: MyMap
        sa timing: remaining key lifetime (k/sec): (4565647/134)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
      spi: 0xECA2A6B8(3970082488)
        transform: ah-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: MyMap
        sa timing: remaining key lifetime (k/sec): (4565647/132)
        replay detection support: Y
        Status: ACTIVE
     outbound pcp sas:

Taken From: http://www.priscilla.com/ipsecexample.htm

For more complex configurations check:
http://www.routeralley.com/ra/docs/ipsec_site2site_router.pdf

For more detail on IKE:
http://en.wikipedia.org/wiki/Internet_Key_Exchange


Ubuntu – Packages for Old Releases

The repositories for older releases that are not supported (like 9.04, 9.10, and 10.10) get moved to an archive server. There are repositories available at http://old-releases.ubuntu.com

The reason for this is that it is now out of support and no longer receiving updates and security patches.

I would urge you to consider a supported distribution. If your computer is too old in terms of memory or processor then you should consider a distribution such as Lubuntu or Xubuntu.

If you want to continue using an outdated release then edit /etc/apt/sources.list and change archive.ubuntu.com to old-releases.ubuntu.com

then update with

sudo apt-get update && sudo apt-get dist-upgrade

See also:

· https://help.ubuntu.com/community/EOLUpgrades/

Taken From: http://askubuntu.com/questions/91815/how-to-install-software-or-upgrade-from-old-unsupported-release

Saturday, December 15, 2012

Android Emulator on Linux (Ubuntu)

When Google announced and released Android, back in October 2008, everyone knew that it would become the best operating system for mobile devices. Not only is Android open source, but it also comes with a Software Development Kit, which offers the necessary APIs and utilities for developers to easily build powerful applications for Android-powered mobile devices. The following tutorial was created especially for those of you who want to test the Android platform and install various applications, on the popular Ubuntu operating system. OK, so let's get started... shall we?


Grab the Android SDK from Softpedia and save the file on your home folder.

Editor's note: The tutorial was rewritten for the new Android 2.0 or later, which provides a graphical user interface to setup a virtual device and the SD card. This makes everything a lot easier. No more command-line madness!
Step 1- Installing the requirements
Until the download is over, make sure that you have Java installed and the 32-bit libraries (for the x86_64 users ONLY). If you don't have Java (or the 32-bit libraries), go to System -> Administration -> Synaptic Package Manager...

clip_image002

...search for openjdk and double-click on the openjdk-6-jre entry...

clip_image004

...then, search for ia32-libs (ONLY if you are on a x86_64 machine), and double-click on the ia32-libs entry...

clip_image006

Now, click the "Apply" button to install the packages. Wait for the packages to be installed and close Synaptic when the process is finished.
Step 2 - Android Setup
When the Android SDK download is over, right-click on the file and choose the "Extract Here..." option...

clip_image008

Enter the extracted folder, then enter the tools folder and double click the android file. Click on the "Run" button when you will be asked what you want to do, and the Android SDK and AVD Manager interface will appear...

clip_image010

Go to the "Settings" section and make sure you check the "Force https://..." box. Click the "Save & Apply" button....

clip_image012

Now go to the "Installed Packages" section and click the "Update All" button. A window will appear with all the available updates. Click the "Install Accepted" button...

clip_image014

...and wait for the packages to be downloaded and installed. It will take a while if you have a slow bandwidth, so go see a movie or something until it finishes...

clip_image016

Close the update window when it's done and you will see all the installed SDKs in the "Installed Packages" section.
And now, let's create the virtual device. Go to the "Virtual Device" section and click the "New" button. In the new window do the following:
- put a name to the device;
- select a target (Android system);
- put the size for the SD Card;
- add the hardware you want have in the emulator.
It should look something like this...

clip_image018

Click the "Create AVD" button when you're done setting up the virtual device and wait for it to finish. It takes about 1 minute, and you'll be notified by a pop-up...

clip_image020

Note: In the above setup, we've created a virtual device for Android 2.0.1 with a 2 GB SD card and the following hardware components: SD Card, GPS, Accelerometer, Track-ball and touch-screen.
Now click the "Start" button, and the "Launch" button from the next dialog, and the emulator will start...

clip_image022

clip_image024

To make things a lot simpler let's create a desktop shortcut, so you won't have to open the terminal every time and type some command, in order to start the Android emulator. Therefore, right-click on your desktop and choose the "Create Launcher..." option...

clip_image026

In the Create Launcher window, type "Android Emulator" (without quotes) in the Name field, and paste the below line in the Command field. Optionally, you can also put a nice icon if you click the icon button on the left...
/home/YOURUSERNAME/android-sdk-linux_86/tools/emulator @softpedia

clip_image028

Note: Please replace YOURUSERNAME and the name of the Android Virtual Device (softpedia in our case) with your USERNAME and the name you gave to the virtual device. DO NOT REMOVE the @ sign.
Step 3 - Run applications in Android
All you have to do now is double-click that desktop shortcut you've just created. The Android emulator will start. Wait for the operating system to load...

clip_image030

When the Android operating system has loaded, you can install and test applications. If you are used with the Android platform, you already know how to do that, but if this is your first time... follow the next instructions.

clip_image032

Android 1.1

clip_image034

Android 1.5

Click the Browser icon, wait for the browser to load and click Menu -> Go to URL. Enter the address from where you can download an Android application with the apk extension. For example, we've easily installed Android's Fortune from Launchpad...

clip_image036

clip_image038

clip_image040

clip_image042

clip_image044

clip_image046

clip_image048

...all you have to do is follow the on-screen instructions!
Have fun, and do not hesitate to comment if you want to know more about Android, or if you're stuck somewhere in the tutorial.

Taken From: http://news.softpedia.com/news/How-to-Run-Android-Applications-on-Ubuntu-115152.shtml

Monday, November 26, 2012

USB Drives on Nexus 7 and Other Android Devices

How To Use USB Drives With the Nexus 7 and Other Android Devices

clip_image001

The Nexus 7 may not have a lot of storage space – especially the original 8 GB model – but you can connect a USB drive to it if you want to watch videos or access other files.

Unfortunately, Android doesn’t automatically mount USB drives by default. You’ll need to root your device to enable support for USB drives.

What You’ll Need

You’ll need four things to do this:

· A USB OTG adapter cable: One end of this cable plugs into the micro USB connector on your Nexus 7 (or other device) and one end allows you to connect standard USB 2.0 devices, such as USB drives. These cables can be had for less than $1 online. USB OTG stands for USB On-The-Go.

· A rooted Nexus 7 (or other Android tablet or smartphone): We’ve covered using the Nexus Root Toolkit to easily root Nexus devices. If you’ve previously rooted your device and since updated the operating system, it’s just a matter of opening the Nexus Root Toolkit and clicking the Root button again. (The Nexus Root Toolkit currently does not included support for Android 4.2. If you’re using Android 4.2 on your Nexus, select “Any Build” under the device.)

clip_image002

· The StickMount app: StickMount is available for free from Google Play. Note that StickMount only works if your device is rooted.

· ES File Explorer or another file manager app: We’ll be using ES FIle Explorer here, but you can also use another file manager if you prefer it.

Accessing a USB Drive

With your device rooted, plug one end of the USB OTG cable into it and connect the USB drive to the other end of the cable.

clip_image001[1]

You’ll see a StickMount prompt when the drive is connected. Tap OK and StickMount will make the files on the USB device accessible.

clip_image003

You’ll need to grant root access to StickMount. The process will fail here if you aren’t rooted.

clip_image004

If you agree to both dialogs and select the Use by default option in the first dialog, you won’t see any dialogs when you next connect your USB drive – this will all happen automatically.

You’ll see a notification indicating that StickMount successfully mounted the device under /sdcard/usbStorage.

clip_image005

Open the ES File Explorer app on your device and tap the usbStorge folder.

clip_image006

You’ll see at least one folder inside the usbStorage folder. These folders represent the different partitions on your connected devices.

clip_image007

Tap the folder and you’ll see the files inside it. Tap or long-press the files to open them or manipulate them normally.

clip_image008

For example, this is particularly useful for watching video files, which can take up a lot of space on your tablet.

clip_image009

When you’re done, you can tap the StickMount option in your notification tray to unmount (eject) the drive and then disconnect it. This notification also informs you when StickMount has successfully mounted a drive.

clip_image010


While the cable is a tad bit bulky, it’s still convenient for watching videos on an airplane or while sitting around your house. You can also use it to move files around for any other purpose, just as you’d use a USB drive on a computer

Taken From: http://www.howtogeek.com/129800/how-to-use-usb-drives-with-the-nexus-7-and-other-android-devices/