SSH using public key authentication to IOS

Tags

,

ip domain-name router.fakrul.com
!
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!
username fakrul privilege 15 secret R@nDomp@$$worD!
!
ip ssh pubkey-chain
 username fakrul
 key-string
 ! copy the entire public key as appears in the cat id_rsa.pub including the ssh-rsa and username@hostname.
 exit
 exit
!
ip ssh server algorithm authentication publickey !enable key based authentication only
!
line vty 0 4
transport input ssh
privilege level 15

Install Cisco IOS XRv in GNS3

Tags

, , , ,

Software / Application:

  1. VirtualBox (https://www.virtualbox.org/)
  2. GNS3 (https://www.gns3.com/)

We also need Cisco IOS XRv Router image. For lab we use iosxrv-demo-6.0.0.vmdk which is free to use. The only limitation is it has AAA hardcoded users & rate limit of 2 Mbps. For full features please check the following link:

http://www.cisco.com/en/US/docs/ios_xr_sw/ios_xrv/install_config/b_xrvr_432_chapter_01.html

To download the image please visit https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=Cisco-IOS-XRv. You need Cisco CCO account.

STEP 1: IOS XRV WORKING ON VIRTUALBOX

1. Create a new VM

v-1

2. For the VM please choose:

  1. Name: xrv-1
  2. Type: Other
  3. Version: Other/Unknown (64-bit)

Continue reading

Sign expiring zone (DNSSEC)

Tags

Following script will check the expiry of RRSIG and if it’s expiring within 7 days; it will sign your zone again.

#!/bin/bash

declare -i expire_date
declare -i currert_date
declare -i d1
declare -i diff

expire_date="$(date +%s -d $(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8))"
echo "Expire date: $expire_date"
#expire_date="$(dig +short fakrul.com +dnssec SOA | awk '$2 == 7 { print $0}' | cut -d' ' -f5 | cut -c1-8)"
currert_date="$(date +%s)"
echo "Current date: $currert_date"

diff=$((expire_date-currert_date))/86400
echo "Days to expire: $diff"

if [ "$diff" -gt "7" ]
then
echo "RRSIG will not expiring within one week. No need to sign the zone"
else
echo "RRSIG will expire next week. Sign DNS Zone......"
sudo ldns-signzone /etc/nsd/ZONES/fakrul.com.zone /etc/nsd/KSK/Kfakrul.com.+007+22704 /etc/nsd/ZSK/Kfakrul.com.+007+04664 -f /etc/nsd/SIGNED/fakrul.com.zone.signed
echo "Reload NSD......"
/etc/init.d/nsd reload
fi

Enable IPv6 in OpenVPN

Tags

,

In my earlier post (OpenVPN in Ubuntu 14.04) I have gone through the steps to install OpenVPN in Ubuntu; that was only for IPv4. To enable IPv6 in OpenVPN do the followings:

OpenVPN Server IP : 2001:df2:ee00:ee00::10/64

2001:df2:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get one prefix from 2001:df2:ee00:abcd::/64 block.

Step 1: We need to edit OpenVPN configuration file and enable IPv6 tunnel service

vi /etc/openvpn/server.conf

Add the following :

server-ipv6 2001:0df2:ee00:abcd::/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2001:0df2:ee00:abcd::1 2001:0df2:ee00:abcd::2
push "route-ipv6 2001:0df2:ee00:ee00::2/64"
push "route-ipv6 2000::/3"

Step 2: Enable IPv6 forwarding:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Step 3: Reload OpenVPN Service

/etc/init.d/openvpn restart

Try connect your OpenVPN client. Test the IPv6 reachablity by accessing http://test-ipv6.com/

Note:
1. To make IPv6 forwarding persistent remember, in /etc/sysctl.conf uncomment:
net.ipv6.conf.all.forwarding = 1

2. Make sure that you route 2001:df2:ee00:abcd::/64 to you OpenVPN Server. I have done this from my cisco router

ipv6 route 2001:df2:ee00:abcd::/64 2001:df2:ee00:ee00::10

NSD with DNSSEC (Forward & Reverse DNS)

Tags

, ,

In previous two blogs (1st part2nd part) I explain how to setup NSD as primary DNS server and BIND as secondary. Now let’s see how can we implement DNSEC with it.

1. You can put all the key in single folder; but for better understanding I put necessary information in 4 folders:
ZONES: All zone files, SIGNED: All signed zone files, ZSK: All ZSK keys, KSK: All KSK Keys
sudo mkdir /etc/nsd/SIGNED /etc/nsd/KSK /etc/nsd/ZSK

2. Time to install ldns, a NLnet Labs’ project:
sudo apt-get install ldnsutils

3. Create ZSK /etc/nsd/ZSK
cd /etc/nsd/ZSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 1024 ssh.com.bd

Create KSK
cd /etc/nsd/KSK
sudo ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k ssh.com.bd

ldns-keygen will create 3 files: a .key file with the public DNSKEY, a .private file with the private keydata and a .ds with the DS record of the DNSKEY record.

4. Edit /etc/nsd/nsd.conf to change the path for the signed zones:
zonesdir: "/etc/nsd/SIGNED"

more changes:

zone:
name: “ssh.com.bd”
zonefile: “ssh.com.bd.zone.signed”

5. Now use the ldns-signzone command to sign ssh.com.bd and to create a new file ready for DNSSEC queries.

sudo ldns-signzone /etc/nsd/ZONES/ssh.com.bd.zone \
/etc/nsd/KSK/Kssh.com.bd.+007+22704 \
/etc/nsd/ZSK/Kssh.com.bd.+007+04664 \
-f /etc/nsd/SIGNED/ssh.com.bd.zone.signed

This will create a signed zone file under /etc/nsd/SIGNED folder.

Continue reading