we have completed 4 days [24-27 Nov, 2010] IPv6 Routing Training arranged by APNIC [Asia pacific network Information Center].
To find the Soft copy of the Training course click here.
Thanks,
-----------------
Md. Hadiuzzaman (Rubel)
Cell: 01911355810
মঙ্গলবার, ৩০ নভেম্বর, ২০১০
বুধবার, ৬ অক্টোবর, ২০১০
How to Configure DHCP Server on CentOS:
এই সারসংক্ষেপটি পাওয়া যাবে না। পোস্ট দেখার জন্য
এখানে ক্লিক করুন ।
বৃহস্পতিবার, ২৩ সেপ্টেম্বর, ২০১০
Linux Server as a Gateway Server
Linux Router (CentOS) as a gateway
Network Diagram:
IP address of NIC :
| Eth1: [WAN] IP: 120.50.31.188 SM: 255.255.255.192 GW: 120.50.31.129 | Eth0: [LAN] IP: 192.168.100.1 SM: 255.255.255.0 |
Setup IP address:
|
#vi /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.192 IPADDR=120.50.31.188 GATEWAY=120.50.31.129 TYPE=Ethernet
|
#vi /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth0 BOOTPROTO=none ONBOOT=yes NETMASK=255.255.255.0 IPADDR=192.168.100.1 TYPE=Ethernet
|
And /etc/sysconfig/network will show:
NETWORKING=yes
HOSTNAME=Rubel
Setup DNS address:
nameserver 116.212.104.81
nameserver 116.212.104.82
Enable IP Forwarding:
#vi /etc/sysctl.conf
net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1
Flush rules:
#iptables –F
#iptables –t nat –F
NAT enable:
#iptables –t nat –A POSTROUTING –o eth1 –j MASQUERADE
#iptables –A FORWARD –i eth0 –j ACCEPT
edit the file etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD, IPTABLES_SAVE_ON_STOP, and IPTABLES_SAVE_ON_RESTART all set to “yes”
Save the Rules to /etc/sysconfig/iptables
#iptables-save
Restart iptables:
#service iptables restart
Restart Network:
#service network restart
Now Setup ip configuration on Client PC and ping the gateway 192.168.100.1 and ping www.google.com.
শনিবার, ২১ আগস্ট, ২০১০
Site-to-Site IPsec VPN Configuration Example
Site-to-Site IPsec VPN Configuration:
Router PE1:
PE1(config)#ip route 172.16.2.0 255.255.255.252 192.168.1.2
PE1(config)#ip route 2.2.2.2 255.255.255.255 192.168.1.2
PE1(config)#ip route 4.4.4.4 255.255.255.255 192.168.1.2
PE1(config)#ip route 3.3.3.3 255.255.255.255 172.16.1.2
Router PE2:
PE2(config)#ip route 172.16.1.0 255.255.255.252 192.168.1.1
PE2(config)#ip route 1.1.1.1 255.255.255.255 192.168.1.1
PE2(config)#ip route 3.3.3.3 255.255.255.255 192.168.1.1
PE2(config)#ip route 4.4.4.4 255.255.255.255 172.16.2.2
Router CE1:
CE1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
Step 1 :
CE1(config)# crypto isakmp policy 10
CE1(config-isakmp)# encryption 3des
CE1(config-isakmp)# group 2
CE1(config-isakmp)# hash sha
CE1(config-isakmp)# authentication pre-share
CE1(config-isakmp)# lifetime 3600
CE1(config-isakmp)# exit
CE1(config)# crypto isakmp key hadi address 172.16.2.2
Step 2 :
CE1(config)# crypto ipsec transform-set CE2 esp-3des esp-sha-hmac
CE1(cfg-crypto-trans)# mode tunnel
CE1(cfg-crypto-trans)# exit
CE1(config)# crypto ipsec security-association lifetime seconds 1200
Step 3 :
CE1(config)# ip access-list extended control
CE1(config-ext-nacl) # permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
CE1(config-ext-nacl) # exit
Step 4 :
CE1(config)# crypto map vpn70 10 ipsec-isakmp
CE1(config-cryto-map)# set peer 172.16.2.2
CE1(config-cryto-map)# set transform-set CE2
CE1(config-cryto-map)# match address control
CE1(config-cryto-map)#exit
Step 5 :
CE1(config)# interface fastethernet 0/0
CE1(config-if)# crypto map vpn70
CE1(config-if)# exit
Step 6 :
In this example I skipped this step. If you want you can apply this.
Router CE2:
CE2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.1
Step 1 :
CE2(config)# crypto isakmp policy 10
CE2(config-isakmp)# encryption 3des
CE2(config-isakmp)# group 2
CE2(config-isakmp)# hash sha
CE2(config-isakmp)# authentication pre-share
CE2(config-isakmp)# lifetime 3600
CE2(config-isakmp)# exit
CE2(config)# crypto isakmp key hadi address 172.16.1.2
Step 2 :
CE2(config)# crypto ipsec transform-set CE1 esp-3des esp-sha-hmac
CE2(cfg-crypto-trans)# mode tunnel
CE2(cfg-crypto-trans)# exit
CE2(config)# crypto ipsec security-association lifetime seconds 1200
Step 3 :
CE2(config)# ip access-list extended controlA
CE2(config-ext-nacl) # permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
CE2(config-ext-nacl) # exit
Step 4 :
CE2(config)# crypto map vpn90 10 ipsec-isakmp
CE2(config-cryto-map)# set peer 172.16.1.2
CE2(config-cryto-map)# set transform-set CE1
CE2(config-cryto-map)# match address controlA
CE2(config-cryto-map)#exit
Step 5 :
CE2(config)# interface fastethernet 0/0
CE2(config-if)# crypto map vpn90
CE2(config-if)# exit
Step 6 :
In this example I skipped this step. If you want you can apply this.
Verify the VPN Service :
To verify the VPN Service use following command in CE1 or CE2 Router.
show crypto ipsec sa
show crypto isakmp sa
show crypto session
show crypto map
debug crypto ipsec
debug crypto isakmp
and ping from WKS-1 to WKS-2 and WKS-2 to WKS-1.
শুক্রবার, ২০ আগস্ট, ২০১০
Site-to-Site IPSec VPN
Site-to-Site IPSec VPN
The Five Steps in the life of an IPSec VPN are as follows:
Step 2 : IKE phase 1.
Step 3 : IKE phase 2.
Step 4 : Secure data transfer.
Step 5 : IPsec tunnel termination.
There are five parameters that must be coordinated during IKE phase 1:
i) IKE encryption algorithm (DES, 3DES, or AES)
ii) IKE authentication algorithm (MD5 or SHA-1)
iii) IKE key (preshare, RSA signatures, nonces)
iv) Diffie-Hellman version (1,2, or 5)
v) IKE tunnel lifetime (time and/or byte count)
There are Five parameters must be coordinated during quick mode between IPsec peers : (Phase 2) :
i) IPsec protocol (ESP or AH)
ii) IPsec encryption type (DES, 3DES, or AES)
iii) IPsec authentication (MD5 or SHA-1)
iv) IPsec mode (tunnel or transport)
v) IPsec SA lifetime (seconds or kilobytes)
Site-to-Site IPsec Configuration Steps :
Step 1 : Configure the ISAKMP policy (IKE phase 1).
Step 2 : Configure the IPsec transform sets (IKE phase 2, tunnel termination).
Step 3 : Configure the crypto ACL (interesting traffic, secure data transfer).
Step 4 : Configure the crypto map (IKE phase 2).
Step 5 : Apply the crypto map to interface (IKE phase 2).
Step 6 : Configure the interface ACL.
Virtual Private Network (VPN)
Virtual Private Network (VPN)
A VPN is a shared network where private data is segmented from other traffic so that only the intended recipient has access. The term VPN was originally used to describe a secure connection over the Internet. Today, however, VPN is also used to describe private networks, such as Frame Relay, Asynchronous Transfer Mode (ATM), and Multiprotocol Label Switching (MPLS).
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network
It encapsulates data transfers between two or more networked devices not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks.
Types:
Types of VPNs are named based upon the role they play in a business. There are three different categories of VPNs.
- Remote Access VPNs
- Site-to-Site VPNs (or intranet VPNs)
- Extranet VPNs.
Remote Access VPNs : Allow Remote Users like telecommuters to securely access the corporate network wherever and whenever they need to.
Site-to-Site VPNs : Allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay.
Extranet VPNs : Allow an organization’s suppliers, partners and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications.
To creating VPN the first approach uses IPSec to create authentication and encryption services between endpoints on an IP network. The Second way is via tunneling protocols, allowing you to establish a tunnel between endpoints on a network. Tunnel itself is a means for data or protocols to be encapsulated inside another protocol.
Here is some most Common tunneling protocol:
- Layer 2 Forwarding (L2F)
- Point-to-Point Tunneling Protocol (PPTP)
- Layer 2 Tunneling Protocol (L2TP)
- Generic Routing Encapsulation (GRE)
IPSec (Internet Protocol Security) :
IPSec is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 network layer of the OSI Model. IPSec can protect only the IP layer and up (transport layer and user data). IPSec can’t be used to encrypt non-IP traffic. If you need to encrypt non-IP traffic, you’ll need to create a GRE tunnel for it and then use IPSec to encrypt that tunnel.
IPSec Features:
- Data Confidentiality
- Data Integrity
- Data origin authentication
- Anti-replay
IPSec Protocols :
The three main protocols that are used by IPSec are as follows:
- Internet Key Exchange (IKE)
- Encapsulating Security Payload (ESP)
[ The following encryption methods are available to IPSec ESP.
- Data Encryption Standard (DES)
- Triple Data Encryption Standard (3DES)
- Advanced Encryption Standard (AES)
]
- Authentication Header (AH)
Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check. HMAC hash algorithms in IPSec :
1. Message Digest 5 (MD5) [Input=variable, Output=128 bits, Used by IPsec=128 bits]
2. Secure Hash Algorithm (SHA-1) [Input=variable, Output=160 bits, Used by IPsec=First 96 bits].
IPSec Modes :
- Tunnel Mode
- Transport Mode
IKE Protocols :
- ISAKMP (Internet Security Association Key Management Protocol)
- Oakley.
IKE Phases :
1. IKE Phase 1 [Mandatory]
[ has two modes (i) Main Mode (ii) Aggressive ]
- IKE Phase 1.5 [Optional]
- IKE Phase 2 [Mandatory]
[IKE Quick Mode is used by this Phase ]
বুধবার, ১৪ জুলাই, ২০১০
Definition relates to Name Server
Domain Name :
This is the name that identifies a Web site. For example, "microsoft.com" is the domain name of Microsoft's Web site. A single Web server can serve Web sites for multiple domain names, but a single domain name can point to only one machine. For example, Apple Computer has Web sites at www.apple.com, www.info.apple.com, and store.apple.com. Each of these sites could be served on different machines.
Then there are domain names that have been registered, but are not connected to a Web server. The most common reason for this is to have e-mail addresses at a certain domain name without having to maintain a Web site. In these cases, the domain name must be connected to a machine that is running a mail server.
Name Server :
---------------------
A name server translates domain names into IP addresses. This makes it possible for a user to access a website by typing in the domain name instead of the website's actual IP address. For example, when you type in "www.microsoft.com," the request gets sent to Microsoft's name server which returns the IP address of the Microsoft website.
Each domain name must have at least two name servers listed when the domain is registered. These name servers are commonly named ns1.servername.com and ns2.servername.com, where "servername" is the name of the server. The first server listed is the primary server, while the second is used as a backup server if the first server is not responding.
Name servers are a fundamental part of the Domain Name System (DNS). They allow websites to use domain names instead of IP addresses, which would be much harder to remember.
Domain Name System
-------------------------
The Internet maintains two principal namespaces, the domain name hierarchy and the Internet Protocol (IP) address system. The Domain Name System maintains the domain namespace and provides translation services between these two namespaces. Internet name servers implement the Domain Name System. A DNS name server is a server that stores the DNS records, such as address (A) records, name server (NS) records, and mail exchanger (MX) records for a domain name and responds with answers to queries against its database.
The top hierarchy of the Internet Domain Name Server is served by the root name servers maintained by delegation by the Internet Corporation for Assigned Names and Numbers (ICANN).
Top-level domain :
---------------------------
A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is com, or COM, (domain names are not case-sensitive). Management of most top-level domains is delegated to responsible organizations by the Internet Corporation for Assigned Names and Numbers (ICANN), which operates the Internet Assigned Numbers Authority (IANA) and is in charge of maintaining the DNS root zone.Originally, the top-level domain space was organized into three main groups, Countries, Categories, and Multiorganizations. An additional temporary group consisted only of the initial DNS domain, arpa, intended for transitional purposes toward the stabilization of the domain name system.
Root domain
-------------------
The Domain Name System is a hierarchical naming system for computers, services, or any resource participating in the Internet. The top of that hierarchy is the root domain. The root domain does not have a formal name and its label in the DNS hierarchy is an empty string. All fully qualified domain names (FQDNs) on the Internet can be regarded as ending with this empty string for the root domain, and therefore ending in a full stop character (the label delimiter), e.g., www.example.com.. This is generally implied rather than explicit, as modern DNS software does not actually require that the terminating dot be included when attempting to translate a domain name to an IP address.
The root domain contains all top-level domains of the Internet.
এতে সদস্যতা:
পোস্টগুলি (Atom)