Archive for July 27th, 2009

27
Jul

stoke – take 0.2

   Posted by: cristina_crow    in technical

Se pare ca Stoke-le are niste pitici ciudatei, pe lange multitudinea de chestii faine.

Anume: pentru ceea ce vreau eu sa fac, lucrez cu un context pe nume ipsec1, contextul asta fiind un fel de vrf. Ei bine, in momentul in care imi pun configul de ipsec/ip clar/whatever pe un port, acolo indic clar care este contextul de care apartine acel port. In acest caz:

port ethernet 4/0
bind interface untrust1 ipsec1
ipsec policy ikev2 phase2 name ph2_1
ipsec policy ikev2 phase1 name ph1_1
exit
service ipsec
enable
exit
port ethernet 4/1
bind interface trust1 ipsec1
exit
exit

port ethernet 4/0

bind interface untrust1 ipsec1

ipsec policy ikev2 phase2 name ph2_1

ipsec policy ikev2 phase1 name ph1_1

exit

service ipsec

enable

exit

port ethernet 4/1

bind interface trust1 ipsec1

exit

exit

Ei bine, Stoke-lui nu ii e de ajuns acest lucru, si se plange ca nu gaseste context pentru acel user. De aceea pe client trebuie sa pui ceva de genul: user@context, ca sa ii zici lu’ Stoke sa asocieze acest user, acelui context anume, ca e configurat sa faca EAP, de exemplu. Chestia asta mi se pare aiurea, pentru ca nu vad de ce clientul ar trebui sa stie ce vrf-uri are admin-ul configurate pe DUT. De moment ce cererea de EAP intra pe un port, iar acel port e pus intr-un context, ma astept sa mi se aplice regulile de autentificare de pe acel context.
Faza asta a lui Stoke mai are o implicatie asupra freeradius-ului, anume ca pe radius ajunge tot user@context, nu se face stripping de context. Deci, ca sa duci autentificarea la bun sfarsit, tre sa strippuiesti “domeniul” (probabil..?!?) aici. Eu am creat un realm cu numele contextului in proxy.conf pe radius, in care am setat authhost=LOCAL. Sper sa-l pacalesc asa. Altfel, ar trebui sa-i zic “cumva” lui radius sa nu bage in seama ce vine dupa “@” si inca nu stiu cum.

Tags:

No Comments
27
Jul

stoke – take 0.1

   Posted by: cristina_crow    in technical

Remote-Access cu auth de EAP-TLS in freeradius.
Deocamdata nu merge (see below)
Dar sunt abia la inceput.
context ipsec1
domain save
aaa profile
user authentication local
session authentication radius
service authorization local
exit
session name session1
ip address pool
exit
radius session authentication profile
retry 2
server 10.205.17.70 port 1812 key test
exit
ip pool 95.95.0.2 1024
ip pool 95.95.8.1 1024
ip pool 95.95.12.1 1024
ip pool 95.95.16.1 1024
interface untrust1
arp arpa
ip address 170.2.0.5/24
exit
interface trust1
arp arpa
ip address 171.253.253.5/24
exit
interface session1 session loopback
ip session-default
ip address 95.95.0.1/32
exit
interface Mngmt management
arp arpa
ip source-address context-default
ip address 10.205.17.238/24
exit
ip route 61.211.0.0/16 171.253.253.2
ip route 46.0.0.0/8 170.2.0.2
ip route 1.0.0.0/8 170.2.0.2
ip route 10.205.0.0/16 10.205.17.3
ip access-list intresting1
2 permit ip any any
exit
ipsec policy ikev2 phase1 name ph1_1
custom
gw-authentication certificate name SSX password encrypted 241C0E1F00563313
peer-authentication eap
hard-lifetime 36000 secs
soft-lifetime 360 secs
encryption triple-des
hash md5
d-h group2
prf md5
exit
exit
ipsec policy ikev2 phase2 name ph2_1
custom
hard-lifetime 36000 secs
soft-lifetime 300 secs
encryption triple-des
hash md5
pfs group5
exit
exit
exit
Iar debug-ul ma injura:
Stoke[ipsec1]#Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 272
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: 00000000:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : SA:KE:NONCE:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : SA:KE:NONCE:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 272
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 256
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED:ID_I:SA:TS_I:TS_R:CERTREQ:CONFIG:NOTIFY[ESP_TFC_PADDING_NOT_SUPPORTED]:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received TSi[0] : 0.0.0.0-255.255.255.255[0-65535][0]
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received TSr[0] : 61.0.0.0-61.255.255.255[0-65535][0]
Jul 27 13:47:02 [4] DEBUG Iked-RX_CFG_INTERNAL_ADDR-2-0xfc1012cd: 46.11.0.1[500] -> 170.2.0.5[500]. SPI :: 9ae66e9d64206214:2aa1f2746bee449c. Addr :: 0.0.0.0
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : ID_R:AUTH:EAP:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 128
Jul 27 13:47:02 [0] DEBUG Aaad-RCV_IPC_MSG: Received aaa_general_cmd IPC-msg
Jul 27 13:47:02 [0] DEBUG Aaad-PROC_MSG-0xfc1012cd: Processing aaa_general_cmd msg from module Iked
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED:NOTIFY[AUTHENTICATION_FAILED]:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:47e32ee8:unexpected critical payload (type 41)
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : NOTIFY[INVALID_SYNTAX]:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-IKE_SA_DELETE_MSG_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :IKE-SA-SPI: 9ae66e9d64206214:2aa1f2746bee449c
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : DELETE[IKE]:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_SESSION_DOWN_SEND-0xfc1012cd: fc1012cd
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_GENERAL_CMD_SEND-0xfc1012cd: cmd_type: AAA_GENERAL_CMD_TYPE_SESSION_DOWN :term_ec: AAAD_TERM_EC_TUNL_SETUP_FAILED
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_GENERAL_CMD_RCVD-0xfc1012cd: cmd_type: AAA_GENERAL_CMD_TYPE_SESSION_DOWN_COMPLETE :term_ec: AAAD_TERM_EC_INVALID
Jul 27 13:47:02 [4] DEBUG Iked-SESSION_DELETED-0xfc1012cd: Remote-TEP:  :Port: 0 :Local-TEP:  :Port: 0 :Username: session1@ipsec1 :Subscriber-IP:  :AAAD_EC: AAAD_TERM_EC_INVALID :IKED_EC: INVALID_SYNTAX
Jul 27 13:47:07 [4] DEBUG Iked-SESS_MGMT-0xfc1012cd: IKED_FREE_SESSION
Stoke[ipsec1]#Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 272
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: 00000000:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : SA:KE:NONCE:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : SA:KE:NONCE:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 272
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 256
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED:ID_I:SA:TS_I:TS_R:CERTREQ:CONFIG:NOTIFY[ESP_TFC_PADDING_NOT_SUPPORTED]:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received TSi[0] : 0.0.0.0-255.255.255.255[0-65535][0]
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received TSr[0] : 61.0.0.0-61.255.255.255[0-65535][0]
Jul 27 13:47:02 [4] DEBUG Iked-RX_CFG_INTERNAL_ADDR-2-0xfc1012cd: 46.11.0.1[500] -> 170.2.0.5[500]. SPI :: 9ae66e9d64206214:2aa1f2746bee449c. Addr :: 0.0.0.0
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : ID_R:AUTH:EAP:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 128
Jul 27 13:47:02 [0] DEBUG Aaad-RCV_IPC_MSG: Received aaa_general_cmd IPC-msg
Jul 27 13:47:02 [0] DEBUG Aaad-PROC_MSG-0xfc1012cd: Processing aaa_general_cmd msg from module Iked
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_RCVD: 46.11.0.1[500] -> 170.2.0.5[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Received payloads : ENCRYPTED:NOTIFY[AUTHENTICATION_FAILED]:
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:47e32ee8:unexpected critical payload (type 41)
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : NOTIFY[INVALID_SYNTAX]:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-IKE_SA_DELETE_MSG_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :IKE-SA-SPI: 9ae66e9d64206214:2aa1f2746bee449c
Jul 27 13:47:02 [4] DEBUG Iked-DETAIL: fc1012cd:170.2.0.5[500] – 46.11.0.1[500]:0:Sending payloads : DELETE[IKE]:
Jul 27 13:47:02 [4] DEBUG Iked-IKE_PKT_SEND-0xfc1012cd: 170.2.0.5[500] -> 46.11.0.1[500] :LEN: 96
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_SESSION_DOWN_SEND-0xfc1012cd: fc1012cd
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_GENERAL_CMD_SEND-0xfc1012cd: cmd_type: AAA_GENERAL_CMD_TYPE_SESSION_DOWN :term_ec: AAAD_TERM_EC_TUNL_SETUP_FAILED
Jul 27 13:47:02 [4] DEBUG Iked-AAAD_GENERAL_CMD_RCVD-0xfc1012cd: cmd_type: AAA_GENERAL_CMD_TYPE_SESSION_DOWN_COMPLETE :term_ec: AAAD_TERM_EC_INVALID
Jul 27 13:47:02 [4] DEBUG Iked-SESSION_DELETED-0xfc1012cd: Remote-TEP:  :Port: 0 :Local-TEP:  :Port: 0 :Username: session1@ipsec1 :Subscriber-IP:  :AAAD_EC: AAAD_TERM_EC_INVALID :IKED_EC: INVALID_SYNTAX
Jul 27 13:47:07 [4] DEBUG Iked-SESS_MGMT-0xfc1012cd: IKED_FREE_SESSION

Tags: ,

No Comments
27
Jul

cautand dupa muzica prin second disk

   Posted by: cristina_crow    in media-culture

Am regasit un album mai vechi…

[youtube]http://www.youtube.com/watch?v=PRPrtClpxPA[/youtube]

Pentru cei care si-i mai amintesc pe baietii de la Agathodaimon, in special Vlad care e acum in Ra-Geniu Pustiu. Niste romanashi (defapt, cred ca doar Vlad era roman, restul erau nemti) care au incercat sa puna pe muzica versurile lui Eminescu…Piesa de mai sus e dupa Minulescu, si se cheama Romanta noului venit.

Veniti, sa V-aprind in suflet lumina stinselor faclii
Si-n versuri fantasmagoria si vraja noilor magii
Iar cinturile voastre cu care azi cersiti o piine
Sa le cunun cu stralucirea aurorelor de miine

Dar poarta a ramas inchisa la glasul artei viitoare!

Iar din cele de Eminescu, imi amintesc de Epigonii, poezia mea preferata :)

O, sfinte firi vizionare
Ce faceati valul sa cînte, ce puneati steaua sa cînte
Ce creati o alta lume pe asta lume de noroi
Prosti si genii, mic si mare, sunet, sufletul, lumina
Toate-s praf, lumea-I cum este… si ca dînsa sîntem noi.

Tags: ,

No Comments
27
Jul

weekend

   Posted by: cristina_crow    in media-culture

In acest week-end am facut cu monsieur un maraton al filmelor, dupa cum se poate vedea la el pe bloggy. Din fericire pentru mine, doua dintre filme au fost cu actrita mea preferata, Jodie Foster, iar celelalte super bine alese. [Nota: Trebuie sa revad Nell, unul dintre primele filme ale lui Jodie Foster, cel mai bun, dupa parerea mea.] Mi-a placut “I love you, Man”, dar cel mai si cel mai tare mi-a placut “The pursuit of Happyness”, pe care nu stiu din ce motive, dar nu-l vazusem pana acum. Mi-a placut sa-l vad pe Will Smith intr-o postura de erou, dar alta decat cea de erou din “Hancock”, poate mai apropiata de cea din “Seven Pounds”, un rol foarte bine jucat si foarte captivant.

Imi plac filmele astea, care te pun pe ganduri la final, te fac sa-ti pui intrebari, pe care nu le urmaresti doar ca apare una dezbracata acolo :P Ma gandeam …oare eu sunt fericita? Dar…mai important decat daca EU sunt fericita, este daca cei dragi mie sunt fericiti, in special, daca eu sau ceea ce fac eu sau macar putin din ceea ce fac eu, ii face sau nu fericiti. Apoi ma gandeam, ca eu mereu is copil-problema, oare ma voi stabili si eu vreodata la “casa mea”, cum se zice, sa am familie si kinder/kinderi? Oare voi fi in stare sa-i cresc, sa-i educ, sa le creez niste directii prin care sa se dezvolte intelectual si spiritual, sa fie niste oameni de onoare, capabili sa se faca respectati…etc? Si, daca vreodata as fi in situatia din film, oare as avea moralul atat de tare, incat sa lupt atata pentru copilul meu? Oare as putea sa fac atatea sacrificii, sa nu dorm, ca sa muncesc/invat, sa am 2 job-uri, sa alerg, sa ma lupt, sa rezist, si in tot acest timp sa imi  mentin o atitudine parinteasca corecta fata de acel copil?…sau as abandona, precum mama lui Chris cel mic, din film?

Tags: ,

2 Comments
Back to top