Posts tagged: cisco

Automatic vpnc connection on DD-WRT

By , 2012-09-24 18:34

I sometimes have to work from home, which means using VPN. Cisco VPN works quite well, but it’s just not the same as being on the corp network.

Using a spare DD-WRT router (ASUS WL-520GU) running the VPN build of DD-WRT, I set up a persistent VPN connection. Now when I connect my work PC to this router, it behaves just like it’s on the corporate LAN.

How to do it

  1. First, get the recommended DD-WRT VPN build from dd-wrt.com and flash the router.
  2. Connect the VPN router’s WAN/Internet port to your home LAN.
  3. Make sure your router’s LAN IP doesn’t conflict with any subnets in the corp network or your existing home LAN. I used 192.168.133.0/24.
  4. Add your corporate domains and DNS servers to the dnsmasq config (Services tab)
  5. Next, customize the script at the end of this post and paste in the Administration>Commands section. Click Save Startup.
  6. Reboot the router. Wait about 5 minutes (it takes a while to start up) and verify you can ping/access servers on the corp LAN.
  7. Done!

This isn’t exactly the most stable solution, but it works and I haven’t had any disconnects so far. Also much cheaper and much less trouble than setting up a site-to-site VPN using a real Cisco router.

One sticking point is that from now on any changes to router config (DHCP, WiFi, etc.) will require a reboot. Otherwise your VPN tunnel will die and won’t come back for some reason.

Also, speeds are limited by the router’s processor. Mine is only a 266MHz ARM, so IPsec puts quite a load on it, meaning I can only sustain speeds of about 2Mbps – sadly still better than some of our WAN sites that are using T1 lines.

Script

mkdir /tmp/etc/vpnc
rm -f /tmp/etc/vpnc/vpnc.sh
#Create the VPNC startup script in /tmp
echo '
#!/bin/sh 
vpn_concentrator="your.vpn.gateway" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="some.server.corp"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="other.server.corp"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="groupname"  ##enter the group name here
vpn_grouppasswd="grouppass"   ##enter the group password here
vpn_username="user"       ##enter your username here
vpn_password="pass"        ##enter your password here

#--do not edit this--
#Written by Alain R. 28.Sep.2007
#updated by Matthieu Y. 2012-09-24
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
#Create vpnc config file
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /tmp/etc/vpnc/vpn.conf
# allow dnsmasq to forward dns replies for LAN subnets
sed -i "s/stop-dns-rebind//g" /tmp/dnsmasq.conf
killall dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf 
#Check if we can ping the IPs specified above
pingtest1 () {
 ping -q -c1 $param1 >> /dev/null
 if [ "$?" == "0" ]; then
       echo 0 #reachable 

 else
	echo 1 #not reachable
 fi
}

pingtest2 () {
 ping -q -c2 $param2 >> /dev/null
 if [ "$?" == "0" ]; then
       echo 0 #reachable 

 else
	echo 1 #not reachable
 fi
}
doloop=true

while [ $doloop==true ]; do
			param1=$vpn_keepalive_host1;

			if [ "`pingtest1`" == "0" ]; then
				sleep 300
			else
				param2=$vpn_keepalive_host2;
				if [ "`pingtest2`" == "0" ]; then
					sleep 300
				else
					doloop=false
					vpnc-disconnect
					vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
					sleep 1
					if [ "`pingtest1`" != "0" ]; then
						sleep 10
					fi
					tundev="`ifconfig |grep tun |cut -b 1-4`"
					iptables -A FORWARD -o $tundev -j ACCEPT
					iptables -A FORWARD -i $tundev -j ACCEPT
					iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
					sleep 9
				fi
			fi
done

return 0;
' >> /tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/tmp/etc/vpnc/vpnc.sh&

References:

 

 

30 Rock – Product placement

By , 2012-01-11 09:21

30 Rock is set to return to NBC tomorrow evening. (Unfortunately, it’s in Community’s time slot.) I decided to take the occasion to revisit some clever but blatant (to comedic effect) product placement from earlier seasons.

Snapple:

Cisco Telepresence:

System failures à go go

By , 2009-11-26 22:41

Today was quite the day. As the title says, systems were failing all over the place. Our main switch at work (a Cisco 6509) crashed about 3 times this week, causing our vSphere environment to crash repeatedly, taking all the guest VMs with it. We searched for a long while before discovering that a faulty UPS battery was to blame for the switch’s instability. Meanwhile, we’re left with a misconfigured iSCSI SAN and 3 ESX hosts with no storage.

At home, my crazy MythTV/OpenVZ/KVM/PBX/Windows 2003/Seedbox/RADIUS server had to be shut down when my home network started acting up. DHCP stopped working, and the machines that were left had difficulty pinging each other. This time, a Cisco device was to blame. A WRT610N router that I use as an ABGN Access-point running DD-WRT had somehow bricked itself and started broadcasting packets on the network, thus flooding my routers and other computers. Then, I tried booting up my server again. MythTV and OpenVZ started up OK, but the qemu-server/kvm machines didn’t start, throwing “can’t open lock for VM 107 ‘/var/lock/qemu-server/lock-107.conf’ – No such file or directory”. Weird error. The fix is to create the /var/lock/qemu-server folder.

And finally, everything at home is up and running again. We’ll see tomorrow morning how things go at work. David was staying late today on the phone with Dell EqualLogic specialists, so fingers crossed!

Custom theme by me. Based on Panorama by Themocracy