IT Blog

Configuring the VPN IPSec / L2TP server on Mikrotik

Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.

1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:

ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15

2) Add a profile to “PPP” – “Profiles”
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:

ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool

3) Add a user to “PPP” – “Secrets”
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:

ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp

4) Enable the server in “PPP” – “Interface” – “L2TP Server”
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:

interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes

5) “IP” – “IPSec” – “Peers”
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:

ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY

6) “IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:

ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des

7) “Firewall” – “Add New”
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:

ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
ip firewall filter add chain=input action=accept protocol=ipsec-esp

The rules should be at the top of the list.

This completes the configuration, you can connect.

Installing and using trafshow

trafshow – a utility for displaying traffic statistics passing through network interfaces.

Since the utility is included in the Netdiag (Net-Diagnostics) set, everything is installed together.

You can install Netdiag and trafshow in Ubuntu / Debian using the following command:

sudo apt-get install netdiag

In CentOS/RedHat/Fedora:

sudo yum install netdiag

Command viewing guide:

man trafshow

Simple launch:

sudo trafshow

I’ll describe the possible startup options:
-v (view the version of the program)
-n (do not convert the addresses into DNS names, and port numbers for example 80 in http, etc., in the running program, you can toggle the option with the N key)
-a len (summarizing traffic flows using the IP prefix IP netmask len, in the program is switched by pressing the A key)
-с conf (using an alternative color configuration instead of the standard / etc / trafshow)
-i name (indication of the network interface)
-s str (search for an item in the list and go to it)
-u port (listening to the specified UDP port for Cisco Netflow, the default number is 9995, to disable use 0)
-R refresh (update interval, default 2 secs, in the program is changed with the R key)
-P purge (cleaning of obsolete records after the specified time, by default 10 seconds, in the program is changed by the key P)
-F file (using a file for filters)
expr (what packages will be displayed, if not specified, then all)

Installing and using softflowd

Softflowd – NetFlow network traffic analyzer.

You can install in Ubuntu/Debian using the command:

sudo apt-get install softflowd

After installation, you need to open its configuration file, for example, in the nano editor (Ctrl+X for exit, y/n for saving or canceling changes):

sudo nano /etc/default/softflowd

And specify the parameters, for example:

INTERFACE="any"
OPTIONS="-n 192.168.1.40:5556"

After the changes, perform a restart:

sudo /etc/init.d/softflowd restart

Let’s look at the statistics of softflowd:

softflowctl statistics

If it is not running, there will be an error:

ctl connect(“/var/run/softflowd.ctl”) error: Connection refused

Display information about all monitored threads:

sudo softflowctl dump-flows

Information about softflowctl can be viewed by the command:

man softflowctl

I’ll describe other startup options:
-n (specify the network node and port on which will work softflowd)
-i (interface on which will work softflowd)
-r pcap_file (reading information from a file, not a network interface)
-p pidfile (alternative location for storing the process identifier, standard /var/run/softflowd.pid)
-c ctlsock (alternative location for the socket, standard /var/run/softflowd.ctl)
-m max_flows (maximum number of threads for simultaneous tracking)
-6 (consider also IPv6 data)
-D (debug mode)
-T track_level (level of tracking, can be full, proto, ip)
-v netflow_version (netflow version)

Linux snmp OIDs

Example for check:

snmpget -v 1 -c "public" localhost .1.3.6.1.2.1.1.3.0

System load:
In 1 minute: .1.3.6.1.4.1.2021.10.1.3.1
In 5 minutes: .1.3.6.1.4.1.2021.10.1.3.2
In 15 minutes: .1.3.6.1.4.1.2021.10.1.3.3

CPU:
percentage of user CPU time: .1.3.6.1.4.1.2021.11.9.0
raw user cpu time: .1.3.6.1.4.1.2021.11.50.0
percentages of system CPU time: .1.3.6.1.4.1.2021.11.10.0
raw system cpu time: .1.3.6.1.4.1.2021.11.52.0
percentages of idle CPU time: .1.3.6.1.4.1.2021.11.11.0
raw idle cpu time: .1.3.6.1.4.1.2021.11.53.0
raw nice cpu time: .1.3.6.1.4.1.2021.11.51.0

Memory statistics:
Size of the Swap: .1.3.6.1.4.1.2021.4.3.0
Free Swap Space: .1.3.6.1.4.1.2021.4.4.0
Total RAM: .1.3.6.1.4.1.2021.4.5.0
Used RAM: .1.3.6.1.4.1.2021.4.6.0
Free RAM: .1.3.6.1.4.1.2021.4.11.0
Total RAM Shared: .1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered: .1.3.6.1.4.1.2021.4.14.0
Total Cached Memory: .1.3.6.1.4.1.2021.4.15.0
Mount point: .1.3.6.1.4.1.2021.9.1.2.1
Mount the device for the partition: .1.3.6.1.4.1.2021.9.1.3.1
Total disk/partition size in kilobytes: .1.3.6.1.4.1.2021.9.1.6.1
Free disk space: .1.3.6.1.4.1.2021.9.1.7.1
Used disk space: .1.3.6.1.4.1.2021.9.1.8.1
Disk space used as a percentage: .1.3.6.1.4.1.2021.9.1.9.1

Uptime system: .1.3.6.1.2.1.25.1.1.0
SNMP uptime: .1.3.6.1.2.1.1.3.0

Installing and using Net-SNMP

You can install Net-SNMP in Centos with the command:

Blocking social networks on Cisco

On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.

First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.

And create an extended ACL for example with the name BLOCKSOCIAL:

ip access-list extended BLOCKSOCIAL
deny ip any 87.240.128.0 0.0.63.255
deny ip any 93.186.224.0 0.0.7.255
deny ip any 93.186.232.0 0.0.7.255
deny ip any 95.142.192.0 0.0.15.255
deny ip any 95.213.0.0 0.0.63.255
deny ip any 185.29.130.0 0.0.0.255
deny ip any 185.32.248.0 0.0.3.255
permit ip any any
exit

The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:

deny ip host 192.168.5.1 host 192.168.11.54

The line “permit ip any any” should be necessary at the end.

Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255

If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.

Apply the created ACL to the port looking towards the clients:

interface GigabitEthernet1/1
ip access-group BLOCKSOCIAL in

Or, to write less only to the server’s server port on the Internet, if there is one:

interface TenGigabitEthernet3/2
ip access-group BLOCKSOCIAL in

You can cancel the ACL interface as follows:

no ip access-group BLOCKSOCIAL in

Delete the ACL like this:

no ip access-list extended BLOCKSOCIAL

If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:

ip access-list extended BLOCKSOCIAL
deny ip 87.240.128.0 0.0.63.255 any
deny ip 93.186.224.0 0.0.7.255 any
deny ip 93.186.232.0 0.0.7.255 any
deny ip 95.142.192.0 0.0.15.255 any
deny ip 95.213.0.0 0.0.63.255 any
deny ip 185.29.130.0 0.0.0.255 any
deny ip 185.32.248.0 0.0.3.255 any
deny ip host 192.168.5.1 any
permit ip any any
exit

Configuring link aggregation on Huawei SmartAX MA5600

On the test, I will configure aggregation on two ports of Huawei SmartAX MA5683T and Cisco Catalyst 6509-E.

Configuring link aggregation on the Cisco Catalyst 6500

For the test, I will configure the aggregation on the Cisco Catalyst 6509-E.

How to convert audio files to ulaw, alaw, gsm, g722, etc. for Asterisk

After ordering the voice acting from a professional announcer and cutting in the sound editor, it was necessary to save the sounds in different formats, the original was in wav, so I’ll give an example of converting through sox (it already was in the system with Asterisk):

sox -V vm-intro.wav -r 8000 -c 1 -t ul vm-intro.ulaw
sox -V vm-intro.wav -r 8000 -c 1 -t al vm-intro.alaw
sox -V vm-intro.wav -r 8000 -c 1 -t gsm vm-intro.gsm

The codec g722 does not seem to support it, at least in man sox did not find it, so it installed ffmpeg (on the Ubuntu Server system):

sudo apt-get install ffmpeg

And performed the conversion:

ffmpeg -i vm-intro.wav -ar 16000 -acodec g722 vm-intro.g722

Standard directory with Asterisk sounds – /usr/share/asterisk/sounds

SNMP OID and MIB for interfaces

Below I list the standard OID and MIB with a description for obtaining SNMP different statistics for the network interfaces of switches, routers, access points, network cards in servers, etc.