Random notes & other stuff... » network

Configuration ADSL pour Free sur Cisco 1841

leucos — Fri, 04 Dec 2009 06:14:37 +0000

(an english translation for this article is here)

Les clients de Free sont généralement contents… jusqu’a ce qu’ils aient besoin de support. C’est un problème avec tous les providers, mais chez Free en général, c’est gratiné.

Quand vous vous abonez chez Free, vous recevez une belle Freebox : un equipement faisant office de modem DSL, routeur, de FXS pour brancher le téléphone et parfois plus si vous avez la chance d’avoir la TV et d’autres services.services.

Mais quand vous ne voulez pas utiliser la FreeBox, ou qu’elle est morte, il y a des moyens alternatifs pour se connecter. Le plus simple c’est de trouver un modem DSL (un speedtouch par exemple), et d’utiliser un routeur pouvant faire du PPPoE (un Linksys WRT54GL + firmware tomato par exemple).

Vous pouvez aussi faire du PPPoA si vous avez un routeur avec une interface ATM. La configuration ci dessous peut être utilisée sur un routeur Cisco 1841 avec une carte ATM pour se connceter chez Free. La conf est facilement adaptable à d’autre modèles, le changements se limitant souvent aux noms d’interfaces.

Vous pouvez debugguer la connexion en tapant :

debug ppp neg
debug ppp auth

Bonne chance.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c1841-pppoa
!
boot-start-marker
boot-end-marker
!
enable secret 0 CHANGE_YOUR_ENABLE_PASSWORD
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
mmi polling-interval 60
!
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
! Global pool for the LAN clients
ip dhcp pool CLIENTS
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.254
!
! Static assignements for specific clients
ip dhcp pool pc1
import all
host 192.168.0.2 255.255.255.0
client-identifier 0013.8dd7.2ada
!
ip dhcp pool pc2
import all
host 192.168.0.3 255.255.255.0
client-identifier 0018.f327.3137
!
ip domain name whatever.it.is
!
! Use ssh
! You need to issue
! crypto key generate rsa
! first
ip ssh time-out 60
ip ssh authentication-retries 2
!
! Lets define some user
username _CHANGE_USERNAME password à CHANGE_USERPASSWORD
!
!
!
interface Null0
no ip unreachables
!
! This is LAN side
interface FastEthernet0/0
description LAN connection
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
speed auto
!
! This is the ATM interface
! We\'re doing PPPoA
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
ubr 160
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0/1/0
no ip address
shutdown
!
! Dialer interface for PPP negotiation
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no cdp enable
ppp authentication chap pap callin
ppp chap hostname 04XXXXXXXX@freeadsl
ppp chap password 0 CHANGE_TO_YOUR_CHAP_PASS
!
ppp pap sent-username 04XXXXXXXX@freeadsl password 0 CHANGE_TO_YOUR_CHAP_PASS
! Required to get DNS servers
ppp ipcp dns request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
! Required to act as a DNS server for the LAN clients
ip dns server
!
! Oh please no !
no ip http server
no ip http secure-server
!
! Do some NAT for LAN clients
ip nat inside source list 10 interface Dialer0 overload
access-list 10 permit 192.168.0.0 0.0.0.255
!
control-plane
!
line con 0
stopbits 1
line aux 0
line vty 0 4
password 0 CHANGE_TO_SOME_PASS
login local
! We just want ssh, not telnet
transport input ssh
!
end

Cisco 1841 ADSL configuration for Free telecom

leucos — Sun, 17 May 2009 09:47:35 +0000

(a french translation for this article is here)

http://leucos.lstilde.org/wp/2009/05/cisco-1841-ads…r-free-telecom/

People connected via Free, a french internet provider are usually happy customers… until they need to get support. Well, this is a problem with most of providers out there.

When you subscribe to Free, they send you a Freebox : a combo containing a DSL modem, a router, an FXS to hook your telephone, and sometimes more if you’re lucky enough to have TV and other services.

But when you don’t want to use this box, or when it’s dead, you can use alternate ways to get connected. The easiest one if to get a DSL modem (a speedtouch for instance), and use a PPPoE capable routeur (like a Linksys WRT54GL + tomato firmware).

You can also do PPPoA if you have a router with an ATM interface. The configuration included below can be used on a Cisco 1841 routeur with ATM card to connect to Free. It probably can be adapted to other models very easily by changing only interface names.

You can debug what happens by issuing :

debug ppp neg
debug ppp auth

Good luck.

Fixing ‘IPSEC(initialize_sas): Invalid Proxy IDs’ with dynamic VPNs

leucos — Mon, 08 Dec 2008 23:49:23 +0000

Dynamic VPNs is a Cisco feature that makes a central router accept VPN establishment without specifying a peer or an ACL for the SA.

The configuration is very simple (even simpler than normal, statically specified tunnels) so when the tunnel doesn’t come up, it is quite frustrating.

And when you get ‘IPSEC(initialize_sas): Invalid Proxy IDs’, meaning SA ACL doesn’t match on both sides, you start to pull your hairs out : how can’t they match when they are not needer on the headend side ??

Well, it seems that the headend is checking the remote SA specification (Proxy ID) anyway, and bails out from isakmp when things go wrong.

Consider this log, saw on a router sitting at 172.22.1.130/27 with

debug crypto ipsec

and

debug crypto isakmp

*Mar 1 00:45:39.227: ISAKMP: set new node 909606036 to QM_IDLE
*Mar 1 00:45:39.227: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 909606036
*Mar 1 00:45:39.227: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 909606036
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 00:45:39.231: ISAKMP: transform 1, ESP_3DES
*Mar 1 00:45:39.231: ISAKMP:   attributes in transform:
*Mar 1 00:45:39.231: ISAKMP:      encaps is 1 (Tunnel)
*Mar 1 00:45:39.231: ISAKMP:      SA life type in seconds
*Mar 1 00:45:39.231: ISAKMP:      SA life duration (basic) of 3600
*Mar 1 00:45:39.231: ISAKMP:      SA life type in kilobytes
*Mar 1 00:45:39.231: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:45:39.231: ISAKMP:      authenticator is HMAC-SHA
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 00:45:39.231: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.22.1.130, remote= 172.22.80.129,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:45:39.231: IPSEC(initialize_sas): invalid proxy IDs
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.22.1.130 remote 172.22.80.129)

See it ?

remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),

the subnet mask 255.255.255.193 comes from a wrong ACL specification :

permit ip 172.22.80.128 0.0.0.62 192.168.1.0 0.0.0.255

instead of

permit ip 172.22.80.128 0.0.0.63 192.168.1.0 0.0.0.255

So 255.255.255.193 last byte yields a discontinuous mask (11000001) which is not so commonly used
That’s why the tunnel is not coming up, and how you lost the last hour.