Site to site IKEv2 tunnel

Written by Christophe Lucas - - no comments

Hello guys,

Here it is a tips / reminder how to implement an site-ot-site IKEv2 tunnel :

crypto ikev2 proposal aes-cbc-256-proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
crypto ikev2 policy policy1 
 match address local x.x.x.x
 proposal aes-cbc-256-proposal
crypto ikev2 keyring v2-kr1
 peer abc
  address y.y.y.y
  pre-shared-key somesecretpass
 !
crypto ikev2 profile profile1
 description IKEv2 profile
 match address local x.x.x.x
 match identity remote address y.y.y.y 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring v2-kr1

crypto ipsec transform-set myset esp-des esp-md5-hmac 

crypto map mymap 20 ipsec-isakmp 
 set peer y.y.y.y
 set security-association lifetime seconds 27000
 set transform-set ESP-AES-SHA 
 set ikev2-profile profile1
 match address 120

With ACL 120 is your flows / SA and your implement your crypto map on your WAN interface.

bwping patch (catching signals)

Written by Christophe Lucas - - no comments
diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
     }
 }
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+
+void sig_handler(int signo)
+{
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
+}
 
 int main (int argc, char **argv)
 {
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
 
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
 
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
+
+
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff

Return to pluxml

Written by Christophe Lucas - - no comments

Wordpress is so fat and open to the air (script kiddies, ...). So, I came back to PluXML.

Have fun pals,
See you soon.

IPv6 prefix delegation feature

Written by Christophe Lucas - - no comments
We will dive into IPv6 prefix delegation prefix.

First of all, we will make a real simple topology :

ipv6-delegation-simple

R1 acts as a DHCP server and use the prefix delegation feature. But how it works ? How it is configured ?

R1 :
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool POOLv6
prefix-delegation pool p lifetime 180 120
domain-name lucas.fr.eu.org

ipv6 local pool p 2001:DB8::/40 48

interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex half
ipv6 address 2A02::1/48
ipv6 enable
ipv6 dhcp server POOLv6


R1# show ipv6 dhcp interface
FastEthernet0/0 is in server mode
Using pool: POOLv6
Preference value: 0
Hint from client: ignored
Rapid-Commit: disabled
R1#


R2 :
interface FastEthernet0/0
duplex half
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd prefix-from-provider

interface FastEthernet1/1
no ip address
duplex auto
speed auto
ipv6 address prefix-from-provider ::1:0:0:0:1/64
ipv6 enable

R2#show ipv6 dhcp interface
FastEthernet0/0 is in client mode
Prefix State is OPEN
Renew will be sent in 00:00:04
Address State is IDLE
List of known servers:
Reachable via address: FE80::C805:ADFF:FE80:0
DUID: 00030001CA05AD800000
Preference: 0
Configuration parameters:
IA PD: IA ID 0x00040001, T1 60, T2 120
Prefix: 2001:DB8::/48
preferred lifetime 120, valid lifetime 180
expires at May 03 2016 10:53 PM (125 seconds)
Domain name: lucas.fr.eu.org
Information refresh time: 0
Prefix name: prefix-from-provider
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
R2#


Debug trace on R2 (debug ipv6 dhcp) :
*May  3 22:36:11.859: IPv6 DHCP: Sending RENEW to FF02::1:2 on FastEthernet0/0
*May 3 22:36:11.859: IPv6 DHCP: DHCPv6 changes state from OPEN to RENEW (TIMEOUT) on FastEthernet0/0
*May 3 22:36:11.879: IPv6 DHCP: Received REPLY from FE80::C805:ADFF:FE80:0 on FastEthernet0/0
*May 3 22:36:11.879: IPv6 DHCP: Processing options
*May 3 22:36:11.879: IPv6 DHCP: Adding prefix 2001:DB8::/48 to prefix-from-provider
*May 3 22:36:11.883: IPv6 DHCP: T1 set to expire in 60 seconds
*May 3 22:36:11.883: IPv6 DHCP: T2 set to expire in 120 seconds
*May 3 22:36:11.883: IPv6 DHCP: DHCPv6 changes state from RENEW to OPEN (REPLY_RECEIVED) on FastEthernet0/0

We have acquired the prefix via PD aka Prefix Delegation feature :
R2#show ipv6 general-prefix 
IPv6 Prefix prefix-from-provider, acquired via DHCP PD
2001:DB8::/48 Valid lifetime 158, preferred lifetime 98
FastEthernet1/1 (Address command)
R2#

On R3 or R4 :
interface FastEthernet0/0
no ip address
duplex half
ipv6 address autoconfig default
ipv6 enable
end


2#show ipv6 dhcp interface
FastEthernet0/0 is in client mode
Prefix State is OPEN
Renew will be sent in 00:00:04
Address State is IDLE
List of known servers:
Reachable via address: FE80::C805:ADFF:FE80:0
DUID: 00030001CA05AD800000
Preference: 0
Configuration parameters:
IA PD: IA ID 0x00040001, T1 60, T2 120
Prefix: 2001:DB8::/48
preferred lifetime 120, valid lifetime 180
expires at May 03 2016 10:53 PM (125 seconds)
Domain name: lucas.fr.eu.org
Information refresh time: 0
Prefix name: prefix-from-provider
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
R2#


If we debug we will see (debug ipv6 interface, debug ipv6 dhcp, debug ipv6 nd) :
May  3 22:05:01.335: ICMPv6-ND: Neighbour FE80::C806:ADFF:FE81:1D on FastEthernet0/0 : LLA ca06.ad81.001d
*May 3 22:05:01.335: ICMPv6-ND: INCMP -> STALE: FE80::C806:ADFF:FE81:1D
*May 3 22:05:01.335: IPv6-Address: intfid_algo is notactive on intf 4
*May 3 22:05:01.339: IPv6-Address: intfid_algo is active on intf 4
*May 3 22:05:01.339: IPv6-Address: Generating IntfID rc 0, prefix: 2001:DB8:0:1::/64, address 2001:DB8:0:1:C808:ADFF:FE85:0
*May 3 22:05:01.343: IPv6-Address: Prefix Information change for 2001:DB8:0:1::/64, 0x0 -> 0x1E0
*May 3 22:05:01.343: IPv6-Address: Adding prefix 2001:DB8:0:1::/64 to FastEthernet0/0
*May 3 22:05:01.343: IPv6-Address: Adding operating owner prefix configured on FastEthernet0/0
*May 3 22:05:01.347: IPv6-Address: Adding operating owner address configured on FastEthernet0/0
*May 3 22:05:01.347: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0 configured on FastEthernet0/0
*May 3 22:05:01.347: IPv6-Addrmgr-
R4(config-if)#ND: DAD request for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May 3 22:05:01.347: ICMPv6-ND: Sending NS for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May 3 22:05:01.351: ICMPv6-ND: Autoconfiguring 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May 3 22:05:02.351: IPv6-Addrmgr-ND: DAD: 2001:DB8:0:1:C808:ADFF:FE85:0 is unique.
*May 3 22:05:02.351: ICMPv6-ND: Sending NA for 2001:DB8:0:1:C808:ADFF:FE85:0 on FastEthernet0/0
*May 3 22:05:02.355: IPv6-Address: Address 2001:DB8:0:1:C808:ADFF:FE85:0/64 is up on FastEthernet0/0

Finally, we are able to ping the DHCPv6 server :
R4#ping ipv6 2A02::1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A02::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/45/96 ms
R4#traceroute 2A02::1

Type escape sequence to abort.
Tracing the route to 2A02::1

1 2001:DB8:0:1::1 12 msec 36 msec 12 msec
2 2A02::1 8 msec 56 msec 36 msec
R4#
Classified in : Cisco - Tags : none
Rss feed of the articles