To troubleshoot IPsec NAT-T:
UDP:
nc -p 500 -zvu 192.168.1.150 500
TCP:
nc -p 500 -zv 192.168.1.150 500
JunOS, IOS, Unix, Linux, Windows, routing, switching, security, QoS, network design, telecom.. Статьи, заметки. Решил собрать блог, чтоб разместить полезные статьи в одном месте.
To troubleshoot IPsec NAT-T:
UDP:
nc -p 500 -zvu 192.168.1.150 500
TCP:
nc -p 500 -zv 192.168.1.150 500
I have found out one very suitable feature of the BGP. I was looking for how to inject more specific into the BGP domain and was really wondered I did not use this before. One remark here - it will not generate more specs of its own route (injected from another protocol for example). All the articles I have found were about routers but it also works with ASA firewalls too.
This is totally opposite what aggregate-address do. Now in my toolkit :)
Here is how to inject two /25 if you get /24 from the neighbor 10.42.1.1/
prefix-list UNAGGREGATED-PREFIXES seq 5 permit 10.43.1.0/25
prefix-list UNAGGREGATED-PREFIXES seq 10 permit 10.43.1.128/25
prefix-list R1-AGGREGATE seq 5 permit 10.43.1.0/24
prefix-list R1-SOURCE seq 5 permit 10.42.1.1/32
route-map PREFIX-INJECTIONS permit 10
set ip address prefix-list UNAGGREGATED-PREFIXES
route-map AGGREGATED-ROUTE permit 10
match ip address prefix-list R1-AGGREGATE
match ip route-source prefix-list R1-SOURCE
router bgp 64517
address-family ipv4 unicast
bgp inject-map PREFIX-INJECTIONS exist-map AGGREGATED-ROUTE
Once DIA bandwidth is out and ISP will increase it only in a month you should still bring services to users. Time to implement QoS.
ip access-list extended ACL-LAN-to-LAN-GE3-7
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
ip access-list extended ACL-LAN-to-LAN-GE3-8
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
permit ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
permit ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
class-map match-all CM-PRIVATE-GE3-8
match access-group name ACL-LAN-to-LAN-GE3-8
class-map match-all CM-PRIVATE-GE3-7
match access-group name ACL-LAN-to-LAN-GE3-7
class-map match-all CM-VOICE
match dscp ef
policy-map PM-GE3-8_1
class CM-VOICE
priority
police cir percent 4 bc 33 ms
class CM-PRIVATE-GE3-8
bandwidth remaining percent 75
queue-limit 2000 packets
dbl
class class-default
bandwidth remaining percent 21
dbl
policy-map PM-GE3-7_1
class CM-VOICE
priority
police cir percent 4 bc 33 ms
class CM-PRIVATE-GE3-7
bandwidth remaining percent 75
queue-limit 2000 packets
dbl
class class-default
bandwidth remaining percent 21
dbl
!
interface GigabitEthernet3/7
description TO_VRF_GLOBAL
no switchport
bandwidth 97280
ip vrf forwarding VRF-LAN
ip address 10.60.5.49 255.255.255.240
service-policy output PM-GE3-7_1
!
!
interface GigabitEthernet3/8
description TO_VRF_LAN
no switchport
bandwidth 97280
ip address 10.60.5.50 255.255.255.240
service-policy output PM-GE3-8_1
end
https://www.ciscopress.com/articles/article.asp?p=2159353&seqNum=3
2
3
4
5
6
7
8
|
diagnose debug reset
diagnose debug flow filter ?
diagnose debug flow filter saddr 172.16.27.148
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show console enable
diagnose debug enable
diagnose debug flow trace start 10 #display 10 packets
diagnose debug disable
|
openvpn.conf
:...
askpass /etc/openvpn/jdoe.pass <<< new line here
ca /etc/openvpn/jdoe_ca.crt
cert /etc/openvpn/jdoe.crt
key /etc/openvpn/jdoe.key
...
/etc/openvpn/jdoe.pass
just contains the password. You can chmod
this file to 600
. This method save my life... ;-)