Might help http://rr.sans.org/encryption/cisco_router.php
Upnet Joe
----- Original Message -----
From: "Eric Wolzak" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, April 16, 2002 11:38 AM
Subject: Re: [Leaf-user] Routing Problem with Dachstien CD and ISDN
> Hello Andrew, you wrote.
>
> I have not done much with the dachstein -CD version, but I possibly
> found a cause.
> I don't have a dachstein running ( using Bering :) )
> The main difference between your eigerstein and your dachstein
> setup seems to be the route.
> eigerstein
> > 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
>
> dachstein
> > 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
>
> The interface ippp0 is in eigerstein probably declared as
> 139.130.0.0./16 so will be the firewall rules connected to this
> interface
>
> In the dachstein version your firewall rules might be so that the
> ippp0 is only 139.130.195.1
> check that.
> >From the route itself you should be able to route through ippp0 as
> the default route is directed in this direction.
>
> The ippp0_MASKLEN is not set
> > eval local MASKLEN=\${"$1"_MASKLEN:-""}
> IMHO if you set ippp0_MASKLEN=16 then you should get the
> same setup as before
>
>
> Eric Wolzak
> member of the Bering crew
>
> ---------------------------original message -------------
>
> > I have configured a DACHSTIEN CD firewall which I am using at home with
a
> > dialup system
> > and it works very well and now have several deployed around Australia on
> > remote sites for
> > the company I work for. The latter of these units are connected by
modem
> > to Bigpond
> > Direct and have proven themselves to be very reliable. My problem
occurs
> > when I updated
> > the main office firewall to DACHSTIEN CD. This firewall currently is
> > running Eigerstien
> > with 2 ISDN channels and working very reliably but I wanted to upgrade
to
> > take advantage
> > of the latest security features and additions.
> >
> > On the Eigerstien version, the routes are:
> >
> > # ip route
> > 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
> > 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
> > 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
> > default dev ippp0 scope link
> >
> > This has been working well. To get ISDN support for the DACHSTIEN CD
> > version, I found
> > the files where the devices are created and added the appropriate text
to
> > the files,
> > /var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and
> > /var/lib/lrpkg/root.dev.own,
> > copying the exact text to each file that had been used in the Eigerstien
> > version I am
> > currently running. The interface devices were created in /dev and all
> > appear to run
> > correctly except for the routing when the firewall starts. The routes
on
> > this machine
> > are:
> >
> > # ip route
> > 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
> > 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
> > 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
> > default dev ippp0 scope link
> >
> > The address 139.130.195.1 is the peer address of the box when connected
to
> > the Bigpond
> > Direct point of presence. The additions to the network.conf shown
below
> > were typed in
> > exactly as they were in the previous version, so this may be part of the
> > problem if some
> > of the functions act differently in the DACHSTIEN CD version. The
> > firewall, when
> > tested, dialled and connected both channels in multilink configuration
to
> > the ISP but is
> > only able to access ip addresses in the 139.130.0.0/16 address range.
> > These are only
> > within our ISP's internal network and therefore do not allow access to
the
> > internet at
> > large.
> >
> > Any assistance would be greatly appreciated as I have been tearing my
hair
> > out for the
> > last three weeks in my attempt to find the problem myself.
> >
> > Interfaces:
> > # Interfaces to start on boot go here - ie "ppp0 eth0"
> > # Do NOT include interfaces configured by dhcp!
> > IF_AUTO="ippp0 eth0 eth1"
> >
> > # List of all configured interfaces, manual start and boot start
> > IF_LIST="$IF_AUTO"
> >
> > Device settings:
> >
############################################################################
> > ###
> > # ISDN Link - the isdn.lrp is required for this to work. (External
> > Interface)
> >
############################################################################
> > ###
> > ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
> > ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not
dynamic.
> > ippp0_MYMSN=38049800 # My telephone Number
> > ippp0_REMMSN=30073300 # Their telephone number (The ISP)
> > ippp0_IP_SPOOF=YES
> > ippp0_IP_KRNL_LOGMARTIANS=NO
> > # Simple QOS support, Options are same as ethernet above.
> > ippp0_FAIRQ=YES
> > ippp0_TXQLEN=64
> > ippp0_BNDWIDTH=64kbit # Device Bandwidth
> > ippp0_HNHL=3 # Queue Handle - must be unique
> > ippp0_IABURST=25 # Interactive Burst
> > ippp0_IARATE=30Kbit # Interactive Rate
> > ippp0_PXMTU=1500 # Physical MTU - includes Link Layer Header
> >
> > ippp1_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
> > ippp1_PTPADDR=139.130.195.1 # Their IP Address, again only if not
dynamic.
> > ippp1_MYMSN=38049800 # My telephone Number
> > ippp1_REMMSN=30073300 # Their telephone number (The ISP)
> > ippp1_IP_SPOOF=YES
> > ippp1_IP_KRNL_LOGMARTIANS=NO
> > # Simple QOS support, Options are same as ethernet above.
> > ippp1_FAIRQ=YES
> > ippp1_TXQLEN=64
> > ippp1_BNDWIDTH=64kbit # Device Bandwidth
> > ippp1_HNHL=4 # Queue Handle - must be unique
> > ippp1_IABURST=25 # Interactive Burst
> > ippp1_IARATE=30Kbit # Interactive Rate
> > ippp1_PXMTU=1500 # Physical MTU - includes Link Layer Header
> >
> > Interface Activation Section:
> > if_up () {
> > local ADDR
> >
> > # sort out a few things to make life easier - here so that you
> > # can see what is done and so that you can add anything if needed
> > eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
> > eval local MASKLEN=\${"$1"_MASKLEN:-""}
> > eval local BROADCAST=\${"$1"_BROADCAST:-""}
> > eval local MYMSN=\${"$1"_MYMSN:-""}
> > eval local REMMSN=\${"$1"_REMMSN:-""}
> > eval local PTPADDR=\${"$1"_PTPADDR:-""}
> > eval local PXMTU=\${"$1"_PXMTU:-""}
> > eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
> > eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
> > eval local ROUTES=\${"$1"_ROUTES:-""}
> > eval local FAIRQ=\${"$1"_FAIRQ:-""}
> > eval local TXQLEN=\${"$1"_TXQLEN:-""}
> > eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
> > eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
> > eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
> > eval local BRIDGE=\${"$1"_BRIDGE:-""}
> > eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
> > if [ -n "$BROADCAST" ] ; then
> > IFCFG_BROADCAST="broadcast $BROADCAST"
> > fi
> >
> > # Do dee global bridge stuff
> > brg_global
> >
> > # Set default interface flags here - used for PPP and WAN interfaces
> > if_setproc default rp_filter $DEF_IP_SPOOF
> > if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
> > if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
> >
> > # Set up each interface
> > case $1 in
> > ppp0)
> > pppd call provider
> > ;;
> > ippp*)
> > # Get ppp user
> > USER=`cat /etc/ppp/pap-secrets | grep ^[a-zA-Z0-9] | sed
's/\*.*//'`
> >
> > # Set up the ISDN interface
> > isdnctrl verbose 3 #>/dev/null
> > isdnctrl system on #>/dev/null
> > isdnctrl addif $1 #>/dev/null
> > isdnctrl pppbind $1 0 #>/dev/null
> > isdnctrl addphone $1 out $REMMSN #>/dev/null
> > isdnctrl eaz $1 $MYMSN #>/dev/null
> > isdnctrl l2_prot $1 hdlc #>/dev/null
> > isdnctrl l3_prot $1 trans #>/dev/null
> > isdnctrl encap $1 syncppp #>/dev/null
> > isdnctrl huptimeout $1 43200 #>/dev/null
> > isdnctrl dialmode $1 auto #>/dev/null
> >
> > # Set up second chanel on ISDN card as a slave to the first.
> > isdnctrl addslave $1 ippp1
> > isdnctrl addphone ippp1 out $REMMSN #>/dev/null
> > isdnctrl eaz ippp1 $MYMSN #>/dev/null
> > isdnctrl l2_prot ippp1 hdlc #>/dev/null
> > isdnctrl l3_prot ippp1 trans #>/dev/null
> > isdnctrl encap ippp1 syncppp #>/dev/null
> > isdnctrl huptimeout ippp1 43200 #>/dev/null
> > isdnctrl dialmode ippp1 auto #>/dev/null
> >
> > if [ -z "$IPADDR" ] ; then
> > echo 1 >/proc/sys/net/ipv4/ip_dynaddr
> > ip link set $1 dynamic on
> > else
> > ip addr add $IPADDR peer $PTPADDR dev $1
> > fi
> > ip link set $1 arp off multicast off
> > ip link set $1 up
> >
> > # Debugging - Remove if you like
> > echo Local Address $IPADDR
> > echo Peer Address $PTPADDR
> >
> > if [ -z "$IPADDR" ] ; then
> > /usr/sbin/ipppd mru 1500 mtu $PXMTU ipcp-accept-local
> > ipcp-accept-remote
> > lcp-restart 1 name $USER noipdefault +mp /dev/$1 /dev/ippp1 &
> > else
> > /usr/sbin/ipppd mru 1500 mtu $PXMTU lcp-restart 1 name $USER
> > $IPADDR:$PTPADDR +mp /dev/$1 /dev/ippp1 &
> > fi
> > ip route add default dev $1
> > # Fair queuing - this can be selected for any interface
> > ip_frQoS $1
> > ;;
> > fr*)
> > wanconfig card wanpipe1 dev $1 start
> > ip addr add $IPADDR peer $PTPADDR dev $1
> > ip link set $1 up
> > # Fair queuing - this can be selected for any interface
> > ip_frQoS $1
> > ;;
> > nat*)
> > eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
> > walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
> > ;;
> > *) # default interface startup
> > brg_iface $1 up $BRIDGE
> > [ -n "$IPADDR" ] \
> > && ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
> > for ADDR in $IP_EXTRA_ADDRS; do
> > ip addr add $ADDR dev $1
> > done
> >
> > ip link set $1 up
> >
> > case "$PROXY_ARP" in
> > YES|Yes|yes)
> > ip route flush dev $1
> > ;;
> > *)
> > ;;
> > esac
> >
> > # Fair queuing - this can be selected for any interface
> > ip_QoS $1
> > ;;
> > esac
> >
> > for route in $ROUTES; do
> > echo Route: $route
> > ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
> > done
> >
> > # Do universal interface config items here
> > # Default route support
> > [ -n "$DEFAULT_GW" ] \
> > && ip route replace default nexthop via $DEFAULT_GW dev $1
> > # Set the TX Queue Length
> > [ -n "$TXQLEN" ] \
> > && ip link set $1 txqlen $TXQLEN
> > # Spoof protection
> > if_setproc $1 rp_filter $IP_SPOOF
> > # Kernel logging of martians on this interface
> > if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
> > # Shared Media stuff
> > if_setproc $1 shared_media $IP_SHARED_MEDIA
> > # Proxy ARP support
> > if_setproc $1 proxy_arp $PROXY_ARP
> >
> > return 0
> > }
> >
> > if_down () {
> >
> > # Do Dee global bridge stuff
> > brg_global
> >
> > case $1 in
> > ppp*)
> > [ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
> > sleep 5 # Wait for pppd to die
> > ;;
> > ippp*)
> > isdnctrl hangup $1
> > sleep 1
> > kill `cat /var/run/ipppd.pid`
> > ip route del dev $1
> > ip link set $1 down
> > isdnctrl delif $1
> > ;;
> > fr*)
> > qt ip link set $1 down
> > qt ip addr flush dev $1
> > qt wanconfig card wanpipe1 dev $1 stop
> > ;;
> > nat*)
> > eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
> > walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
> > ;;
> > *) # default action
> > brg_iface $1 down
> > ip link set $1 down # This also kills any routes
> > qt ip addr flush dev $1
> > ;;
> > esac
> >
> > # Clean up any QoS/fair queuing stuff
> > ip_QoSclear $1
> >
> > true
> >
> > } #END if_down
> >
> > Andrew GRAY
>
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
