Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Mon, 08 Jan 2007 10:30 PM

Seagate Drives

Michael Dale
I had another Seagate drive die on me. I'm not going to be buying that brand from now on, pity I thought they were pretty good.


Any recommendations?

Fri, 29 Dec 2006 12:25 PM

Laptop

Michael Dale
Got my laptop back. Much quicker than expected!

Looks like they've replaced the keyboard, the whole top of the laptop and the battery! Awesome.

Tue, 26 Dec 2006 8:52 PM

Macbook Battery

Michael Dale
Looks like the battery on my Macbook has died. I'm going to take it in tomorrow to get replaced.
Dead Macbook battery

Sat, 23 Dec 2006 10:38 PM

Setting up the Secondary IP option on a netscreen with a PPPoE connection.

Michael Dale
The following howto will show you how to setup an extra subnet connected to a Netscreen.

Background Info:
  1. Static IP address (202.129.82.126) on ethernet3

  2. /30 Subnet (202.129.82.192/30)

  3. 10.0.0.0/22 Internal Network on ethernet1

  4. Netscreen 5GT running ScreenOS 5.4.0r2 in Dual Untrust mode

  5. PPPoE connection

  6. Router address on 10.0.0.254


Adding an extra subnet gives us the option to run servers on separate IP addresses and bypass the Netscreen's limitation of range port forwarding.


Now what I've done for our connection is attach the extra subnet to our trust interface, the plan being that both the internal network (10.0.0.0) and the new subnet (202.129.82.192/30) can talk to each other.


Another issue is that that the 10.0.0.0 network needs to have a nat'ed connection, while the new subnet needs to be routed. All this is possible on the same interface with a few policy changes.

So Lets start. Please note that process will break your internet connection until all steps have been done.

1) Make sure that your external WAN interface is set to Route mode. This will break your current nat until we fix the policies.

This option can be found in:

Network > Interfaces > ethernet3 (name may be different) -> Edit
WAN Route Mode

2) Now go to your internal LAN interface and check that it too is in route mode and that "Block Intra-Subnet Traffic" is off (allowing the internal interface to pass traffic back out the same interface (i.e. 10.0.0.0 -> 202.129.82.192)

Network > Interfaces > ethernet1 (name may be different) -> Edit
LAN Route Mode

3) Add your Subnet on the internal interface

Network > Interfaces > ethernet1 (name may be different) -> Edit -> Secondary IP
Adding Second Subnet

4) Now we'll setup a policy so that any traffic from 10.0.0.0/22 gets nat'ed out of our static IP address

Policies -> From Trust to Untrust. The source address will be your internal network, destination address will be ANY and so will the service.
10.0.0.0 Nat Policy

5) Click advanced and check "Source Translation", then click okay.
Source Translation

6) Now we'll setup a policy so that our new subnet can talk to the world.

In Policies -> From Trust to Untrust create a basic subnet any rule (of course you can restrict things if you'd like). You don't need "Source Translation" on this one.
Subnet to ANY

7) Now to create a rule to allow traffic in to our new subnet

In Policies -> From Untrust to Trust create a basic any subnet rule (of course you can restrict things if you'd like). You don't need "Source Translation" on this one.
ANY to subnet

8) The last step is to allow traffic from the new subnet to talk to the internal network (this is an optional step).

In Policies -> From Trust to Trust. Source address being your new subnet and destination address is your local network.
Subnet to LOCAL network


Somethings I've noticed with this setup.
  1. You can still use VIPs on your main static ip address (202.129.82.126), so that gives you another IP to play with.

  2. The internal netscreen interface works on the network address for the /30 (i.e. 202.129.82.192) giving us two ip addresses that we can use for servers instead of just one.


Sat, 23 Dec 2006 8:45 PM

Back on the air

Michael Dale
We've successfully moved! This new place is pretty awesome, great kitchen and a dishwasher! :)


iinet adsl2+ was connected this morning. We've got the business pack so we currently have one static ip address plus a /30, something we couldn't do cheaply with internode (it would have cost an $100/month with node).


We're hoping to upgrade the current /30 to a /29 (8 IP addresses) later next week (for an extra $64/year).


I've got the netscreen setup so that the /30 works seamlessly with our internal 10.0.0.0/22 network including broadcast traffic (itunes sharing for the win).


So once the cabling is done we'll move the servers back here (about mid jan I would say).

Wed, 18 Oct 2006 6:26 PM

Akismet Under Load?

Michael Dale
Akismet Timeout


I've been getting a few akismet time outs lately which may be one of the reasons why some spam is making it on to this site. I should do a check against that.

Mon, 09 Oct 2006 11:57 PM

Spam

Michael Dale
Far too much spam on this site, I'm getting about 100 a day blocked by akismet, although a few are still getting through.


Anyway I've upped the spam level to maximum, meaning that anything detected as spam is not accepted (no comment moderation).

Bluetrait Spam Filtering


I do need to improve this still.


Wed, 27 Sep 2006 7:07 PM

Racoon to Netscreen VPN (site to site)

Michael Dale
This howto shows you how to create a site to site VPN with a Netscreen and Racoon. If you're interested in setting up a dial-up vpn, see here

Background


My Place

  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)

  • Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)

  • External Address of 59.167.253.89

Josh's Place

  • Gentoo running Racoon (I think it was installed through the command emerge ipsec)

  • Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)

  • Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)


Site to Site VPN (Josh's network to my network)


Step 1)

Setup a dyndns address for the linux end (as this is using a dynamic ip address), use this address in the hostname option when setting up the netscreen (see next step).


Step 2)



The next step is to setup a site to site vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen, Note that example uses 10.0.4.0 as the remote network not 10.0.11.0).

Step 3)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 4)

Setup racoon.conf. Now for this process we used a combination of:

So our config looks like:

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/ipsec.conf";


padding

{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}


# Specification of default various timer.

timer

{

# These value can be changed per remote node.

counter 5; # maximum trying count to send.

interval 20 sec; # maximum interval to resend.

persend 1; # the number of packets per a send.


# timer for waiting to complete each phase.

phase1 30 sec;

phase2 30 sec;

}


remote 59.167.253.89 {

exchange_mode main;

doi ipsec_doi;

situation identity_only;

my_identifier address;

peers_identifier address;

verify_identifier off;

lifetime time 28800 seconds;

initial_contact on;

passive off;

proposal_check obey;

support_mip6 on;

generate_policy off;

nonce_size 16;

proposal {

encryption_algorithm des;

hash_algorithm md5;

authentication_method pre_shared_key;

dh_group modp1024;

}

}


sainfo address 10.0.11.0/24 any address 10.0.0.0/22 any {

pfs_group modp1024;

lifetime time 3600 seconds;

encryption_algorithm des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}


#listen {

# isakmp 10.0.11.15;

#}


log debug2;



Things to note:
  • remote 59.167.253.89 (The ip address of the external interface on my netscreen)

  • exchange_mode main (Remember we set the Netscreen Phase 1 to main mode)

  • my_identifier address; (The external IP address of the linux box is used as the identifier)

  • lifetime time 28800 seconds (Phase 1 lifetime)

  • encryption_algorithm des (Phase 1 DES encryption)

  • hash_algorithm md5 (Phase 1 MD5)

  • authentication_method pre_shared_key (We're using a preshared key)

  • dh_group modp1024 (On the netscreen DH Group 2)

  • sainfo address 10.0.11.0/24 any address 10.0.0.0/22 (From Josh's network to my network)

  • pfs_group modp1024 (Again DH Group 2)

  • lifetime time 3600 seconds (Phase 2 lifetime)

  • encryption_algorithm des (Phase 2 encryption)

  • authentication_algorithm hmac_md5 (Phase 2 MD5)

Step 5)

Setup ipsec.conf


So our config looks like:

flush;

spdflush;

spdadd 10.0.0.0/22 10.0.11.0/24 any -P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;

spdadd 10.0.11.0/24 10.0.0.0/22 any -P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;



You'll just need to change the IP addresses to suit your setup.

Step 6)

Setup psk.txt.


So our config looks like:
59.167.253.89 our_preshared_key



So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 7)

Test. Use both ends to debug and test.

Wed, 27 Sep 2006 6:45 PM

Racoon to Netscreen VPN (dialup)

Michael Dale
So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.

Background


My Place

  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)

  • Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)

  • External Address of 59.167.253.89

Josh's Place

  • Gentoo running Racoon (I think it was installed through the command emerge ipsec)

  • Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)

  • Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)


So I'll go through the process of setting up the dial-up VPN first.

Dial-up VPN (Single PC at Josh's Place accessing my network)


Step 1)



The first step is to setup a dial-up vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen).

Step 2)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 3)

Setup racoon.conf. Now for this process we used a combination of:

So our config looks like:

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/ipsec.conf";


padding

{

maximum_length 20; # maximum padding length.

randomize off; # enable randomize length.

strict_check off; # enable strict check.

exclusive_tail off; # extract last one octet.

}


# Specification of default various timer.

timer

{

# These value can be changed per remote node.

counter 5; # maximum trying count to send.

interval 20 sec; # maximum interval to resend.

persend 1; # the number of packets per a send.


# timer for waiting to complete each phase.

phase1 30 sec;

phase2 30 sec;

}


remote 59.167.253.89 {

exchange_mode aggressive;

doi ipsec_doi;

situation identity_only;

my_identifier fqdn "Test.User";

peers_identifier address;

verify_identifier off;

lifetime time 28800 seconds;

initial_contact on;

passive off;

proposal_check obey;

support_mip6 on;

generate_policy off;

nonce_size 16;

proposal {

encryption_algorithm des;

hash_algorithm md5;

authentication_method pre_shared_key;

dh_group modp1024;

}

}


sainfo address 10.0.11.15/32 any address 10.0.0.0/22 any {

pfs_group modp1024;

lifetime time 3600 seconds;

encryption_algorithm des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}


listen {

isakmp 10.0.11.15;

}


log debug2;



Things to note:
  • remote 59.167.253.89 (The ip address of the external interface on my netscreen)

  • exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)

  • my_identifier fqdn "Test.User" (The IKE Identity)

  • lifetime time 28800 seconds (Phase 1 lifetime)

  • encryption_algorithm des (Phase 1 DES encryption)

  • hash_algorithm md5 (Phase 1 MD5)

  • authentication_method pre_shared_key (We're using a preshared key)

  • dh_group modp1024 (On the netscreen DH Group 2)

  • sainfo address 10.0.11.15/32 any address 10.0.0.0/22 (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)

  • pfs_group modp1024 (Again DH Group 2)

  • lifetime time 3600 seconds (Phase 2 lifetime)

  • encryption_algorithm des (Phase 2 encryption)

  • authentication_algorithm hmac_md5 (Phase 2 MD5)

Step 4)

Setup ipsec.conf


So our config looks like:

#!/usr/sbin/setkey -f

#nat_traversal=yes

flush;

spdflush;

#out

spdadd 10.0.11.15/32 10.0.0.0/22 any

-P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;

#in


spdadd 10.0.0.0/22 10.0.11.15/32 any

-P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;



You'll just need to change the IP addresses to suit your setup.

Step 5)

Setup psk.txt.


So our config looks like:
59.167.253.89 our_preshared_key



So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 6)

Test. Use both ends to debug and test.

Sat, 23 Sep 2006 2:39 PM

Internet Upgrade

Michael Dale

We're finally making use of Annex-M with a modem that correctly supports it. So we now have about 2mbit/sec of upload bandwidth (with 18mbit down).

annex m


The bandwidth usage can be seen here