JunOS Pulse on Ubuntu 15.04 using Openconnect

Basic recipe is:

sudo apt-get install libssl-dev libxml2-dev vpnc-scripts

wget ftp://ftp.infradead.org/pub/openconnect/openconnect-7.06.tar.gz
tar xzf openconnect-7.06.tar.gz
cd openconnect-7.06

./configure --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
make

sudo make install

sudo LD_LIBRARY_PATH=/usr/local/bin openconnect --juniper https://myvpn.mycompany.com/customurl/

If you're getting something like Failed to find or parse web form in login page or Failed to obtain WebVPN cookie then there is hostchecker enabled on VPN server. Unfortunately I didn't find a way to connect reliably to JunOS Pulse with hostchecker.

Thu 30 July 2015

"Failed to start Switch Root" while booting CoreOS

To fix, assign at least 1024Mb of RAM to VM. 512Mb is not enough.

Wed 29 July 2015

How to configure remote access VPN on Cisco ASA

This is just my configuration version based on this guide.

Add VPN users:

username vpnuser1 password 123password123 privilege 0
username vpnuser2 password 123password123 privilege 0

Define IP pool and split routing subnets:

ip local pool VPN_USERS_POOL 10.10.252.0-10.10.252.255 mask 255.255.255.0

access-list VPN_SPLIT standard permit 10.10.8.0 255.255.255.0
access-list VPN_SPLIT standard permit 10.10.255.0 255.255.255.0

Remove nating betweeen VPN users and internal subnets

object-group network NET_INTERNAL8
 network-object 10.10.8.0 255.255.255.0

object-group network NET_INTERNAL255
 network-object 10.10.255.0 255.255.255.0

object-group network NET_VPN_USERS
 network-object 10.10.252.0 255.255.255.0

nat (INTERNAL8,INTERNET) source static NET_INTERNAL8 NET_INTERNAL8 destination static NET_VPN_USERS NET_VPN_USERS
nat (INTERNAL255,INTERNET) source static NET_INTERNAL255 NET_INTERNAL255 destination static NET_VPN_USERS NET_VPN_USERS

Define transforms sets and policies:

crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA-256
 protocol esp encryption aes-256
 protocol esp integrity sha-256

crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800
crypto ikev1 policy 110
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 28800
crypto ikev1 policy 130
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 28800
crypto ikev1 policy 200
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 28800
crypto ikev1 policy 210
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 28800
crypto ikev1 policy 220
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 230
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

Configure dynamic map and crypto map and assign to interface INTERNET:

crypto dynamic-map INTERNET_DMAP 1000 set ikev1 transform-set ESP-AES256-SHA ESP-AES256-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map INTERNET_DMAP 1000 set ikev2 ipsec-proposal ESP-AES-256-SHA-256
crypto dynamic-map INTERNET_DMAP 1000 set reverse-route
crypto map INTERNET_MAP 1000 ipsec-isakmp dynamic INTERNET_DMAP
crypto map INTERNET_MAP interface INTERNET

crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit set-df INTERNET
crypto ikev1 enable INTERNET

Finally define group policies and tunnel group.

group-policy VPN_USERS internal
group-policy VPN_USERS attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT
 address-pools value VPN_USERS_POOL

tunnel-group VPN_USERS type remote-access
tunnel-group VPN_USERS general-attributes
 default-group-policy VPN_USERS
tunnel-group VPN_USERS ipsec-attributes
 ikev1 pre-shared-key big-AND-fat-psk
Mon 02 February 2015

How to reset iLO passwords to defaults on all blades in chassis

To reset iLO passwords to defaults (printed on blade chassis) on all blades in bladecenter you need to ssh to active OA:

hponcfg ALL << end_marker
<RIBCL VERSION="2.0">
  <LOGIN USER_LOGIN="adminname" PASSWORD="password">
    <RIB_INFO MODE="write">
      <FACTORY_DEFAULTS/>
    </RIB_INFO>
  </LOGIN>
</RIBCL>
end_marker
Sun 01 February 2015

How to create sftp-only user

To restrict access of specific user (angry_infosec in this case) to sftp only to specific directory (/LOG in this case), put this to /etc/ssh/sshd_config.

Subsystem sftp internal-sftp

Match user angry_infosec
    ChrootDirectory /LOG
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
Tue 20 January 2015