« *BSD | Main | General Networking »
Tuesday, September 06, 2011
Configuring IPv6 BGP Tunnel with Hurricane Electric (tunnelbroker.net)
Prerequisites: * Cisco IOS with IPv6 support * Internet Routable IPv4 address * AS number exclusively assigned to you by your RIR Throughout the guide, following assumptions are made: * Public IP of your Cisco Router is: 9.33.21.35 * Your ASN is: 31337 * Your RIR delegated IPv6 Prefix is: 1337:C0DE::/32 * 1337:C0DE:0A:49::74 an example IPv6 we'll assign to our router 1) Go to http://tunnelbroker.net 2) Register/Login 3) Create BGP Tunnel -> IPV4 Endpoint (Your Side) Enter Public IP Address, example: 9.33.21.35 Prefixes announced: 1337:C0DE::/32 Selection a tunnel endpoint that's closest to you (eg: Fremont, CA, US 64.71.128.83) Click on Create BGP Tunnel On the Main Page, under the tunnel you just created you get following information: IPv6 Tunnel Endpoints Server IPv4 Address: 64.71.128.83 Server IPv6 Address: 2001:1337:28:bad::1/64 Client IPv4 Address: 9.33.21.22 Client IPV6 Address: 2001:1337:28:bad::2/64 BGP Details Prefixes: 1337:C0DE::/32 Your ASN: 31337 Our ASN: 6262 Peer Address: 2001:1337:28:bad::1/64 This is sufficient information to create an IPv6 BGP Tunnel. Hurricane Electric/Tunnel Broker requires Letter of Authorization that you are the sole owner of your AS and the IPv6 Prefix. You will receive instructions through email to submit this authorization letter through email. 4) It's now time to configure the Cisco IOS. Login in to your Cisco IOS and enter the router configuration mode: First thing is to make sure IPv6 support is enabled on your router. To check, enter the command to enable ipv6 on the router router(config)# ipv6 unicast-routing If it gives an error such as: % Invalid input detected at '^' marker. then you may need to upgrade the firmware on the router or find another one that supports Ipv6 We configure the rest of the router according to the information above: interface Tunnel0 description Hurricane Electric IPV6 Tunnel Broker no ip address ipv6 address 2001:1337:28:bad::2/64 ipv6 enable tunnel source 9.33.21.22 tunnel destination 64.71.128.83 tunnel mode ipv6ip ! router bgp 31337 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2001:1337:28:bad::1 remote-as 6262 neighbor 2001:1337:28:bad::1 update-source Tunnel0 ! address-family ipv6 neighbor 2001:1337:28:bad::1 activate neighbor 2001:1337:28:bad::1 remove-private-as neighbor 2001:1337:28:bad::1 route-map he-ipv6-in in neighbor 2001:1337:28:bad::1 route-map he-ipv6-out out network 1337:C0DE::/32 aggregate-address 1337:C0DE::/32 summary-only redistribute connected metric 1 no synchronization exit-address-family ! ipv6 route ::/0 Tunnel0 ! ipv6 prefix-list ipv6-general-prefix seq 5 deny ::/0 ipv6 prefix-list ipv6-general-prefix seq 10 permit ::/0 le 64 ! ipv6 prefix-list myprivate-prefix seq 5 permit 1337:C0DE::/32 le 64 ! route-map he-ipv6-out permit 10 match ipv6 address prefix-list myprivate-prefix set as-path prepend 31337 31337 31337 ! route-map he-ipv6-in permit 10 match ipv6 address prefix-list ipv6-general-prefix set as-path prepend 6262 6262 6262 ! This should look familiar if you have configured BGP before.
Notice the line "address-family ipv6" is configured from within the "router bgp" prompt.
This basically enables BGP for IPv6 addresses only.
The other lines are responsible for:
1) Setting up the default ipv6 route through the tunnel interface
2) Publishing aggregate routes with our delegated prefix-only to remote peer. The final step is to enable the IPv6 on the external router interface. ! interface GigabitEthernet0/0 ip address 9.33.21.35 255.255.255.0 ipv6 address 1337:C0DE:0A:49::74/64 ipv6 enable ipv6 nd ra suppress ! Notice, I've added the "ip address" line to show the interface with preconfigured IPv4 address we are using as tunnel endpoint. To verify the tunnel is working and the routes are established, use commands below: router# sh bgp ipv6 router# sh ipv6 routes If these commands produce a long list of IPv6 routes then you have successfully configured your Cisco IOS with BGP and IPv6. If you don't see the IPv6 routes, check the configuration for any errors and verify tunnelbroker.net has received your letter of authorization (shows up as "LoA on file" on the website's tunnel details page).
Saturday, June 04, 2011
Cisco Router Password Recovery
Configure Putty to following details: Serial Line: COM5 Speed: 9600 Speed (baud):9600 Data bits: 8 Stop bits: 1 Parity: None Flow Control: None Power up the router. Press Ctrl + Pause Break key combinations while it's booting up. This will present a ROMmon mode. rommon 2 > confreg 0x2142 rommon 2 > reset After the router finishes loading, Router> sh ver | begin ^Configuration Configuration register is 0x2142 Router> enable Router> copy startup-config running-config Router> config t Router(config)# enable secret mysecretpassword Router(config)# config-register 0x2102 Router(config)# exit Router# copy running-config startup-config Destination filename [startup-config]? (Press Enter) Router# reload Proceed with reload? [confirm] (Press Enter) Once the router finishes booting up: Router>sh ver | begin ^Configuration Configuration register is 0x2102 Congratulations!
Friday, June 03, 2011
Cisco VPN Server
aaa new-model aaa authentication login default local aaa authentication login MYVPNXAUTH local aaa authorization exec default local aaa authorization network MYVPNAUTHGROUP local ! username admin privilege 15 password 0 MYPASSWORD ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group TUNNELGROUP key MYVPNKEY pool MYPOOL acl 100 netmask 255.255.255.0 crypto isakmp profile MYIKEPROFILE match identity group TUNNELGROUP client authentication list MYVPNXAUTH isakmp authorization list MYVPNAUTHGROUP client configuration address respond virtual-template 1 ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac ! crypto ipsec profile MYIPSECPROFILE set transform-set MYSET set isakmp-profile MYIKEPROFILE ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet4 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYIPSECPROFILE ! ip local pool MYPOOL 192.168.1.50 192.168.1.60 ! access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 110 ! interface FastEthernet4 ip address 172.16.12.13 255.255.255.0 ip nat outside ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! ip route 0.0.0.0 0.0.0.0 172.16.12.1 ! ip nat inside source route-map nonat interface FastEthernet4 overload
Wednesday, March 03, 2010
Cisco Site-To-Site IPSEC VPN Tunnel
Our site-to-site VPN Tunnel will share 192.168.7.0/24 and 10.11.12.0/24 with each other. For this to work, 172.16.1.10 and 192.168.10.10 should be publicly reachable though static NAT translation on Gateway routers (ip nat inside source static 1.1.1.1 192.168.1.1) where 1.1.1.1 is Public IP and 192.168.1.10 is private ip. All traffic directed to 1.1.1.1 will be translated and forwarded to 192.168.1.10
NAT Traversal is automagic if both end devices support it. Cisco routers do. I have included requied commands for both sites.
SITE-A-Configuration -------------------- hostname SITEA ! ip cef ip name-server 172.16.1.1 ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key MYVPNKEY address 192.168.10.10 no-xauth ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac ! crypto map MYMAP 10 ipsec-isakmp set peer 192.168.10.10 set transform-set MYSET match address NONAT ! interface FastEthernet4 description ## Publicly reachable Outside End Point IP ## ip address 172.16.1.10 255.255.255.0 ip nat outside crypto map MYMAP ! interface Vlan1 description ## Internal Overloaded IP# ip address 192.168.7.1 255.255.255.0 ip nat inside ! ip default-gateway 172.16.1.1 ip route 0.0.0.0 0.0.0.0 172.16.1.1 ! ip nat inside source route-map allowed-out interface FastEthernet4 overload ip dns server ! ip access-list extended NONAT permit ip 192.168.7.0 0.0.0.255 10.11.12.0 0.0.0.255 ! access-list 150 deny ip 192.168.7.0 0.0.0.255 10.11.12.0 0.0.0.255 access-list 150 permit ip 192.168.7.0 0.0.0.255 any route-map allowed-out permit 10 match ip address 150 SITE-B-Configuration -------------------- hostname SITEB ! ip cef ip name-server 192.168.10.1 ! crypto isakmp policy 10 encr aes hash md5 authentication pre-share group 2 crypto isakmp key MYVPNKEY address 172.16.1.10 no-xauth ! crypto ipsec transform-set MYSET esp-aes esp-sha-hmac ! crypto map MYMAP 10 ipsec-isakmp set peer 172.16.1.10 set transform-set MYSET match address NONAT ! interface FastEthernet4 description ## Publicly reachable Outside End Point IP ## ip address 192.168.10.10 255.255.255.0 ip nat outside crypto map MYMAP ! interface Vlan1 description ## Internal Overloaded IP# ip address 10.11.12.1 255.255.255.0 ip nat inside ! ip default-gateway 192.168.10.1 ip route 0.0.0.0 0.0.0.0 192.168.10.1 ! ip nat inside source route-map allowed-out interface FastEthernet4 overload ip dns server ! ip access-list extended NONAT permit ip 10.11.12.0 0.0.0.255 192.168.7.0 0.0.0.255 ! access-list 150 deny ip 10.11.12.0 0.0.0.255 192.168.7.0 0.0.0.255 access-list 150 permit ip 10.11.12.0 0.0.0.255 any route-map allowed-out permit 10 match ip address 150 !
Sunday, January 10, 2010
Basic Cisco Router Configuration with NAT and DHCP
hostname myrouter enable password @bcD987 enable secret @bcD987 service password-encryption int fa4 ip address 1.2.3.4 255.255.255.0 ip nat outside no shut int vlan 1 ip address 192.168.5.1 255.255.255.0 ip nat inside no shut line vty 0 4 password @bcD987 login line con 0 password @bcD987 login access-list 100 permit 192.168.5.0 0.0.0.255 ip nat inside source list 100 interface FastEthernet 4 overload ip name-server 1.2.3.4 ip name-server 5.6.7.8 ip dns server ip http server ip http secure-server ip default-gateway 1.2.3.1 ip route 0.0.0.0 0.0.0.0 1.2.3.1 username myuser privilege 15 password 0 gh!JK678 ip dhcp excluded-address 192.168.5.1 ip dhcp pool mydhcppool network 192.168.5.0 255.255.255.0 default-router 192.168.5.1 domain-name mydomain.org dns-server 192.168.5.1 5.6.7.8 netbios-name-server 192.168.5.1 netbios-node-type h-node
