Tuesday, November 26, 2019

eve-ng upload file from AWS workspace to eve-ng docker.io-linux-vm inside a lab


1) start eve-ng with HTML5 Desktop. Upload file via GUACD folder in thinclient (details in eve-ng cookbook)
2)copy file to Desktop in HTML5 Desktop GUI
3)start terminal of docker.io-linux-vm in the lab to find it's 172.x.x.x IP address
4)In HTML5 Desktop GUI do a sftp to this address


at No comments:

Monday, March 25, 2019

Ubuntu: X11, gdm3

as root:
systemctl start gdm3
as non-root:
sudo x11vnc -auth /run/user/123/gdm/Xauthority -ncache 10 -display :0



/etc/gdm3/Init/Default
/usr/bin/x11vnc -rfbauth /root/.vnc/passwd -o /var/log/x11vnc.log -forever -bg
at No comments:

Thursday, March 14, 2019

Arista Zero Touch Provisioning


zerotouch cancel -> only for current uptime (reload will start ZTP again)
zerotouch disable -> forever

to reenable zerotouch do:
bash
rm /mnt/flash/zerotouch-config
exit
write erase
reload

(ztpserver freeware latest development version is needed)


on vEOS:
localhost login: Mar 14 12:53:44 localhost ConfigAgent: %ZTP-6-DHCPv4_SUCCESS: DHCPv4 response received on Management1  [ Ip Address: 11.0.0.3/24/24; Gateway: 11.0.0.1; Boot File: http://54.37.190.249:8080/bootstrap ]
Mar 14 12:53:49 localhost ConfigAgent: %ZTP-6-CONFIG_DOWNLOAD: Attempting to download the startup-config from http://54.37.190.249:8080/bootstrap
Mar 14 12:53:49 localhost ConfigAgent: %ZTP-6-CONFIG_DOWNLOAD_SUCCESS: Successfully downloaded config script from http://54.37.190.249:8080/bootstrap
Mar 14 12:53:49 localhost ConfigAgent: %ZTP-6-EXEC_SCRIPT: Executing the downloaded config script
Mar 14 12:53:56 localhost ConfigAgent: %ZTP-6-EXEC_SCRIPT_SUCCESS: Successfully executed the downloaded config script
Mar 14 12:53:57 localhost ConfigAgent: %ZTP-6-RELOAD: Rebooting the system


on ZTPserver:
2019-03-14 13:53:51,096:DEBUG:[serializers:237] None: reading /usr/share/ztpserver/bootstrap/bootstrap...
2019-03-14 13:53:51,102:INFO:[controller:820] 178.32.46.58: node beginning provisioning
178.32.46.58 - - [14/Mar/2019 13:53:51] "GET /bootstrap HTTP/1.1" 200 48535
2019-03-14 13:53:52,308:DEBUG:[serializers:237] None: reading /usr/share/ztpserver/bootstrap/bootstrap.conf...
2019-03-14 13:53:52,309:WARNING:[controller:776] Bootstrap config file empty
178.32.46.58 - - [14/Mar/2019 13:53:52] "GET /bootstrap/config HTTP/1.1" 200 27
2019-03-14 13:53:55,271:INFO:[controller:277] 178.32.46.58: received system information from node:
{u'neighbors': {}, u'model': u'vEOS', u'version': u'4.21.1.1F', u'serialnumber': u'', u'systemmac': u'50:05:00:93:81:07'}
2019-03-14 13:53:55,272:INFO:[topology:313] 500500938107: parsing node's LLDP Neighbor information
2019-03-14 13:53:55,272:DEBUG:[topology:159] 500500938107: created node object Node(serialnumber=, systemmac=500500938107, neighbors=OrderedCollection())
2019-03-14 13:53:55,272:INFO:[controller:295] 178.32.46.58: node ID is systemmac:500500938107
2019-03-14 13:53:55,272:DEBUG:[controller:169] 500500938107: running node_exists
2019-03-14 13:53:55,272:INFO:[controller:324] 500500938107: this node already exists on the server
2019-03-14 13:53:55,272:DEBUG:[controller:169] 500500938107: running dump_node
2019-03-14 13:53:55,272:DEBUG:[serializers:270] N/A: writing /usr/share/ztpserver/nodes/500500938107/.node...
2019-03-14 13:53:55,273:INFO:[controller:520] 500500938107: node data written to nodes/500500938107/.node:
{'neighbors': {}, 'model': u'vEOS', 'version': u'4.21.1.1F', 'systemmac': '500500938107'}
2019-03-14 13:53:55,273:DEBUG:[controller:169] 500500938107: running set_location
2019-03-14 13:53:55,273:DEBUG:[controller:181] 500500938107: response to set_location: {'status': 409, 'location': 'nodes/500500938107'}
178.32.46.58 - - [14/Mar/2019 13:53:55] "POST /nodes HTTP/1.1" 409 0
2019-03-14 13:53:55,282:INFO:[controller:558] 500500938107: received request for definition: http://54.37.190.249:8080/nodes/500500938107
2019-03-14 13:53:55,282:DEBUG:[controller:559] GET /nodes/500500938107 HTTP/1.1
Accept: */*
Accept-Encoding: identity
Connection: keep-alive
Content-Length: 4
Content-Type: text/html
Host: 54.37.190.249:8080
User-Agent: python-requests/2.18.4

null
Resource: 500500938107

2019-03-14 13:53:55,283:DEBUG:[serializers:237] None: reading /usr/share/ztpserver/nodes/500500938107/.node...
2019-03-14 13:53:55,283:INFO:[topology:313] 500500938107: parsing node's LLDP Neighbor information
2019-03-14 13:53:55,283:DEBUG:[topology:159] 500500938107: created node object Node(serialnumber=None, systemmac=500500938107, neighbors=OrderedCollection())
2019-03-14 13:53:55,283:DEBUG:[controller:169] 500500938107: running do_validation
2019-03-14 13:53:55,283:WARNING:[controller:604] 500500938107: topology validation is DISABLED
2019-03-14 13:53:55,283:DEBUG:[controller:169] 500500938107: running get_startup_config
2019-03-14 13:53:55,284:DEBUG:[controller:169] 500500938107: running get_definition
2019-03-14 13:53:55,284:WARNING:[controller:664] 500500938107: missing definition nodes/500500938107/definition
2019-03-14 13:53:55,284:DEBUG:[controller:169] 500500938107: running get_attributes
2019-03-14 13:53:55,284:WARNING:[controller:683] 500500938107: no node specific attributes file
2019-03-14 13:53:55,284:DEBUG:[controller:169] 500500938107: running do_substitution
2019-03-14 13:53:55,284:DEBUG:[controller:703] 500500938107: processing action install static startup-config file (variable substitution)
2019-03-14 13:53:55,284:DEBUG:[controller:169] 500500938107: running do_resources
2019-03-14 13:53:55,288:DEBUG:[topology:166] 500500938107: computing resources (attr={'url': 'http://54.37.190.249:8080/nodes/500500938107/startup-config'})
2019-03-14 13:53:55,289:DEBUG:[topology:194] 500500938107: resources: {'url': 'http://54.37.190.249:8080/nodes/500500938107/startup-config'}
2019-03-14 13:53:55,289:DEBUG:[controller:169] 500500938107: running finalize_response
2019-03-14 13:53:55,289:DEBUG:[controller:181] 500500938107: response to finalize_response: {'body': {'name': 'Autogenerated definition', 'actions': [{'action': 'replace_config', 'attributes': {'url': 'http://54.37.190.249:8080/nodes/500500938107/startup-config'}, 'name': 'install static startup-config file', 'always_execute': True}]}, 'status': 200, 'content_type': 'application/json'}
178.32.46.58 - - [14/Mar/2019 13:53:55] "GET /nodes/500500938107 HTTP/1.1" 200 235
2019-03-14 13:53:55,298:DEBUG:[controller:142] GET /actions/replace_config HTTP/1.1
Accept: */*
Accept-Encoding: identity
Connection: keep-alive
Content-Length: 4
Content-Type: text/html
Host: 54.37.190.249:8080
User-Agent: python-requests/2.18.4

null
Resource: replace_config

2019-03-14 13:53:55,298:DEBUG:[serializers:237] None: reading /usr/share/ztpserver/actions/replace_config...
178.32.46.58 - - [14/Mar/2019 13:53:55] "GET /actions/replace_config HTTP/1.1" 200 2364
2019-03-14 13:53:55,307:DEBUG:[controller:188] 500500938107: node resource GET request: 
GET /nodes/500500938107/startup-config HTTP/1.1
Accept: */*
Accept-Encoding: identity
Connection: keep-alive
Content-Length: 4
Content-Type: text/html
Host: 54.37.190.249:8080
User-Agent: python-requests/2.18.4

null

2019-03-14 13:53:55,307:DEBUG:[serializers:237] None: reading /usr/share/ztpserver/nodes/500500938107/startup-config...
178.32.46.58 - - [14/Mar/2019 13:53:55] "GET /nodes/500500938107/startup-config HTTP/1.1" 200 145
178.32.46.58 - - [14/Mar/2019 13:53:55] "GET /meta/nodes/500500938107/startup-config HTTP/1.1" 200 65

at 2 comments:

Thursday, February 28, 2019

How to add NX-OS image to EVE-NG




1)make it a sataa.qcow2 image
2)after first boot configure "boot nxos bootflash:///nxos.7.0.3.I7.3.bin" and write mem

Remark: when you get into the loader type "boot nxos.7.0.3.I7.3.bin". It may be that you get again in to loader-prompt. Do again "boot nxos.7.0.3.I7.3.bin"
at No comments:

Friday, October 19, 2018


eve-ng html5 firefox internet access

- create node docker.io, select eve-gui and enable dhcp
- open terminal in node and add "route add default gw 172.17.0.1 eth1"

Happy surfing!
at No comments:

Guacamole SSH

-> url/html5/ (login:guacadmin)

create new ssh connection
create user and add ssh connection

-> url/html5/ (login:user for ssh)
at No comments:

Friday, August 24, 2018

VPN (GRE+IPSec)

Cisco VPN (GRE+IPSec)

IMPORTANT: Disable GRE keepalive on the Tunnel (they will be sent without encryption and dropped on the other end. As a consequence the tunnel will go down). IPSec has it's own keepalive.


Parameters to consider/agree upon

Phase 1  IKE/ISAKMP
- Authentication :  RSA
- Mode : Main
- Key Exchange Encryption: AES-25
- Hash: SHA1
- Diffie-Hellman Group: 2
- Lifetime: 86400 seconds

Phase 2  IPSec
- Encryption: AES-128
- Hash: SHA1
- PFS Diffie-Hellman group: 2
- Lifetime: 36000


Phase 1 config
crypto keyring kr-acme 
 rsa-pubkey address
  key-string
  HEXHEXHEX
  quit
!
crypto isakmp policy 10
 encr aes 256
 hash sha256
 group 2
!
crypto isakmp profile isa-acme
   keyring kr-acme
   match identity address 23.0.0.3 255.255.255.255

Phase 2 config
 crypto ipsec transform-set ts-acme esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile ipsec-acme
 set security-association replay disable
 set transform-set ts-acme
 set isakmp-profile isa-acme

Phase 1 Troubleshooting
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
12.0.0.1        23.0.0.3        MM_KEY_EXCH       1019 ACTIVE
23.0.0.3        12.0.0.1        MM_KEY_EXCH       1020 ACTIVE

 #show crypto isakmp diagnose error
...
Error(103): Failed to find public key. (address is missing in keyring)
Error(2): Failed to verify signature. (signature is corrupt)

Phase 2 Troubleshooting

R1#sh crypto ipsec transform-set
... 
Transform set ts-acme: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },

R1#sh crypto ipsec profile
...
IPSEC profile ipsec-acme
    ISAKMP Profile: isa-acme
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Responder-Only (Y/N): N
    PFS (Y/N): N
    Mixed-mode : Disabled
    Transform sets={
        ts-acme:  { esp-256-aes esp-sha-hmac  } ,
    }
    Antireplay window disabled

R1#sh crypto ipsec sa     

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 12.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (12.0.0.1/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (23.0.0.3/255.255.255.255/47/0)
   current_peer 23.0.0.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 23.0.0.3
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xC288357(203981655)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x89A123AF(2309039023)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4235169/3427)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC288357(203981655)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4235169/3427)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE(ACTIVE)
         
     outbound ah sas:

     outbound pcp sas:

R1# show crypto session  detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update

Interface: Tunnel0
Profile: isa-acme
Uptime: 00:05:51
Session status: UP-ACTIVE    
Peer: 23.0.0.3 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 23.0.0.3
      Desc: (none)
  Session ID: 0 
  IKEv1 SA: local 12.0.0.1/500 remote 23.0.0.3/500 Active
          Capabilities:(none) connid:1021 lifetime:23:54:08
  IPSEC FLOW: permit 47 host 12.0.0.1 host 23.0.0.3
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5  drop 0 life (KB/Sec) 4235169/3248
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4235169/3248




Wireshark
 (AH instead of ESP is used as transform-set so no encryption of the payload)

ping interface 12.0.0.1->23.0.0.3 no IPSec
Ping tunnel 13.0.0.1->13.0.0.3 no IPSec


Ping tunnel IPs 13.0.0.1->13.0.0.3 IPSec mode tunnel  

 Ping tunnel IPSec mode transport

Remarks
Both modes , tunnel and transport, encrypt full GRE packet.  
mode Tunnel = new IP header is created
mode Transport = existing IP header is copied to front
See http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
https://learningnetwork.cisco.com/thread/117488 
at No comments:
Subscribe to: Posts (Atom)

YAML Files for ESP32

 Gree Versati III https://gist.github.com/slanckma/3bad4ff49545488a3719766bdf0cdc76 TUF-2000M Water flow sensor https://gist.github.com/slan...

  • eve-ng : When a node won't start
      /var/log/syslog shows: Jun 18 11:21:18 labusraeveng01 iol_wrapper[105334]: 18/5 15:21:18.639 ERR#011Error while connecting local AF_UNIX: ...
  • Arista Zero Touch Provisioning
    zerotouch cancel -> only for current uptime (reload will start ZTP again) zerotouch disable -> forever to reenable zerotouch do: ...
  • OpenWRT linksys with TC and NETEM
      install openwrt on e4200v2  Open ssh and http on the WAN (disable firewall) Via GUI of openwrt (LuCi) install tc-full and kmod-netem Injec...