USB-Serial adaptor on Mac OS X

I have a USB-Serial adaptor (prolific pl2303 chip) and MBP Mac OS 10.11.4 for connecting to console of switches, routers and firewalls via screen. Since somewhere between Mac OS 10.11.2 and 10.11.3, the setup is broken as screen will hang if I exit the screen session and then try to reconnect to the device via USB-Serial adaptor. I did upgrade to the latest firmware from prolific page for Mac but did not help…So I started posting for help on Internet forums…

janm on Stack Exchange really helped. Here is the workarounds: use cu instead of screen on Mac for the task. The catch though is by default cu needs to be run with sudo. So,

  1. Type in the password everytime you try to connect to console.
  2. Use one of the followings to get rid of the password prompts:

OPTION 1: Create cu configuration file like “/Users/test/cu.conf” with content below and also create the lock folder accordingly. Run the cu command as “cu -I /Users/test/cu.conf -l /dev/cu.usbserial -s 9600 –nostop

lockdir /Users/test/cu_lockdir

OPTION 2(HIGHLY NOT Recommended): Run “sudo visudo” and uncomment the line below and save and exit.

 %wheel ALL=(ALL) NOPASSWD: ALL

BTW, I also opened a bug report with Apple and provided necessary debug but have not heard back yet…I think the screen compiled with Mac OS X changed on handling port open/close.

3G on Cisco 819 Router

After two days of researching and testing, finally it is working. It was not any configuration difficulty but some technology confusion. Plus the configuration sample cisco provides doesnot really work…Here below is my working configure with Telus SIM Card.

chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 30 "OK"
!
!Tried "ATDT*99*1#" and made no difference
!
interface Cellular0
description PrimaryWAN
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer string hspa-R7
dialer watch-group 1
no peer default ip address
async mode interactive
!
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended nat-list
permit ip 10.100.100.0 0.0.0.127 any
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
ip nat inside source list nat-list interface Cellular0 overload
!
line 3
script dialer hspa-R7
modem InOut
no exec
transport input all
transport output all
!

Under exec mode, create/modify the profile for GSM to match the telus requirement.

cellular 0 gsm profile create 1 isp.telus.com

Mac OS X and Dell Monitor via HDMI

Please refer to here for issue background details. Below is just steps for El Capitan running on Retina MBP with Dell U2410/U2414 monitors.

  1. Download the patch-edid.rb script from Andrew Daugherity’s improved patch-edid.rb script. Put the script on Desktop.
  2. Connect the external monitor.
  3. Type “cd Desktop; chmod +x ruby patch-edid.rb; ./ruby patch-edid.rb” in Terminal.
  4. A new folder will be created on desktop. Move it into the “/System/Library/Displays/Contents/Resources/Overrides/” folder. If prompted if you want to overwrite an existing folder, consider backing it up first.
  5. Restart Mac. The monitor should changed color mode to RGB.
  6. Optionally, Adjust the color profile inside Mac OS and/or monitor presets as needed.

 

Really tried to keep using the Terminal App coming with Mac…

Actually I tried several times by removing iterm2 in last 2-3 months but I always find the feature/function I dislike that provided by Terminal while features I need are not….

1. Why high-light to copy inside Terminal can not sync with CMD-C/CMD-V?

2. Why background colour is included when high-light to copy inside Terminal and paste into Word editor?

3. Why Tabs can not be opened inside one Terminal window? I am too lazy to merge them manually…

4. Why Terminal Tab name can not be automatically set to be just the device name?

5. Where is the logging!!!?

TO BE CONTINUED…

IPSec tunnel with Policy-Based NAT on Fortigate

First, here is the highlevel diagram

Drawing1

The requirements are:

1. Establish IPSec VPN Tunnel between Fortigate and Cisco ASA

2. Translate the Source IP address to 10.153.153.0/24 when 10.100.100.0/24 connect to 172.24.200.0/24 via the IPSec tunnel.

3. Do not translate 172.24.200.0/24 when connect to 10.153.153.0/24 via IPSec tunnel.

With end using ASA, this is just a standard IPSec tunnel setup. Even replace the Fortigate with an ASA, the configuration is fairly straight forward. But with Fortigate, it is a little bit tricky, at least at the very beginning. Because there is no GUI configuration option in my FortiOS 5.2 to create such tunnel. So I have to start from CLI.

Here below are the configuration put onto the Fortigate.

config firewall address
edit "LocalSubnet-RealIP-1"
set associated-interface "LAN"
set subnet 10.100.100.1 255.255.255.0
next
edit "LocalSubnet-RealIP-2"
set associated-interface "LAN"
set subnet 10.100.100.2 255.255.255.0
next
edit "RemoteSubnet"
set subnet 172.24.200.0 255.255.255.0
next
end

config vpn ipsec phase1
edit "Tunnel4Test"
set interface "WAN"
set nattraversal disable
set proposal aes128-sha1 3des-sha1
set dhgrp 5 2
set remote-gw 204.204.204.18
set psksecret ENC YHbmejTH3Doryywk/KkQZ+qWXBEOP1RScs+ewjBmhzXcTguEdmuKsW8g==
next
end

config vpn ipsec phase2
edit "Tunnel4TestP2"
set phase1name "Tunnel4Test"
set use-natip disable
set proposal aes128-sha1
set pfs disable
set keepalive enable
set auto-negotiate enable
set src-addr-type ip
set dst-addr-type ip
set src-subnet 10.153.153.0 255.255.255.0
set dst-subnet 172.24.200.0 255.255.255.0
next
end

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-1"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.1 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
edit 2
set srcintf "LAN"
set dstintf "WAN"
set srcaddr "LocalSubnet-RealIP-2"
set dstaddr "RemoteSubnet"
set action ipsec
set schedule "always"
set service "ALL"
set utm-status enable
set natip 10.153.153.2 255.255.255.255
set av-profile "Default"
set webfilter-profile "Default"
set ips-sensor "Default"
set application-list "Default"
set profile-protocol-options "default"
set inbound enable
set outbound enable
set natoutbound enable
set vpntunnel "Tunnel4Test"
next
end

 
Once the initial configuration is done on Fortigate, you can then modify the settings from GUI.

Did I configure the QoS Policy Wrong!!??

“The short answer is maybe”. This was what I gave to one of the customers when he asked me.

The story was he has Cisco 2960-S switches and configure policy-maps for prioritize the Voice Traffic. But when he run “show policy-map interface” on any of his switch, he got no matches…

There is indeed an known bug for the 2960 switch but somehow Cisco only identifies it for IOS 12 while my customer is using IOS 15… Being lazy??…

Anyhow, “show mls qos interface statistics” does show the matches.

openSUSE as I-CAP Server for Content filter

Components needs to be installed on openSUSE 13.2:

  • Squid
  • ClamAV
  • C-ICAP
  • SquidClamAV

They can all be found by searching on openSUSE Website. I used 1-Click install to add the repository as well.

Once the components are installed, add followings to be started automatically during system boot:

  • squid
  • clamd
  • c-icap

You can restart any of those services by running: rc(service-name) restart, e.g. rcsquid restart

I did not put too much customized configuration into squid and/or c-icap. Here below are the configures I added on top of the default configuration.

For Squid(/etc/squid/squid.conf):

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all

For C-ICAP(/etc/c-icap/c-icap.conf): Only updated ServerAdmin, ServerName values and added following line.

Service squidclamav squidclamav.so

For ClamAV(/etc/freshclam.conf): Uncomment the line below and Change “XY” to your country code. I am in Canada so I used CA.

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.ca.clamav.net
DatabaseMirror database.clamav.net

Donot forget to add “TCP/1344” as allowed service on openSUSE Firewall.

NOTE: if file scanning is needed, the maxsize value inside /etc/squidclamav.conf file and StreamMaxLength value in /etc/clamd.conf need to be adjusted accordingly.

L2TPv3 Tunnel

Recently got the question: how can we solution a DR site for a medium business customer? Top of my head is Fabric Path or TRILL but not likely they are going to buy and upgrade their infrastructure. So we had to go cheap. I then start to manipulate L2TPv3 tunnel setup in GNS3.

topology

Since it is lab, why not go fancy: L2TPv3 “mesh” over IPsec!!!

I spent too much time on manipulating configuration already so just attached the configuration file below for your reference. If you think there is content from your publishing, then that is probably because I was reading yours during my troubleshoot…So please contact me if you prefer to have your name listed for credit 🙂

+++++++++++++++ISP++++++++++++++++++
hostname ISP
!
interface Loopback0
ip address 10.0.4.4 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.4 255.255.255.0
speed 100
full-duplex
no shut
interface FastEthernet 0/1
ip address 4.2.2.4 255.255.255.0
speed 100
full-duplex
no shut
!
interface FastEthernet1/0
ip address 4.3.3.4 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.4.4
network 0.0.0.0 255.255.255.255 area 0
+++++++++++++++HQ++++++++++++++++++
hostname HQ
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.1 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.1.1
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class HQ2R2
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet0/1
description HQ_LAN_R2Branch
no ip address
no shut
no cdp enable
xconnect 10.0.2.2 100 encap l2tpv3 manual pw-class HQ2R2
l2tp id 100 200
l2tp hello L2TPV3class
!
pseudowire-class HQ2R3
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description HQ_LAN_R3Branch
no ip address
no shut
no cdp enable
xconnect 10.0.3.3 101 encap l2tpv3 manual pw-class HQ2R3
l2tp id 103 301
l2tp hello L2TPV3class
+++++++++++++++Branch2++++++++++++++++++
hostname Branch2
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
!
default inter fa0/0
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.2.2.2 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.2.2
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R22HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description R2Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 200 encap l2tpv3 manual pw-class R22HQ
l2tp id 200 100
l2tp hello L2TPV3class
!
+++++++++++++++Branch3++++++++++++++++++
hostname Branch3
!
interface Loopback0
ip address 10.0.3.3 255.255.255.255
!
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.3.3.3 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.3.3
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R32HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
default inter fa1/0
interface FastEthernet1/0
description R3Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 301 encap l2tpv3 manual pw-class R32HQ
l2tp id 301 103
l2tp hello L2TPV3class
!
++++++++++++HQ IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set HQ-TRANSFORM esp-3des esp-sha-hmac
!
crypto map HQ2Others 100 ipsec-isakmp
set peer 4.3.3.3
set transform-set HQ-TRANSFORM
match address 110
crypto map HQ2Others 200 ipsec-isakmp
set peer 4.2.2.2
set transform-set HQ-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.4.4.1 host 4.2.2.2
access-list 110 permit ip host 4.4.4.1 host 4.3.3.3
!
interface FastEthernet0/0
crypto map HQ2Others
!
++++++++++++Branch2 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R2-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R22HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R2-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.2.2.2 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R22HQ
!
++++++++++++Branch3 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R3-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R32HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R3-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.3.3.3 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R32HQ