Příspěvky

76

Hardware / Re:Dokovací stanice na dva monitory. USB-C, nebo Thunderbolt3?

« kdy: 02. 02. 2019, 16:33:28 »

Ted jsem nasel na eBay Dell K16A Thunderbolt Dock J00G9 za i s dopravou krasnych 1 000 Kc.

Supports up to three FHD displays or two 4K displays @ 60Hz
Single cable for power and data (up to 130w on supported computers only).

Predpokladam, ze to bude chodit temer s kazdym notebookem s Thunderbolt3.

Mate s ni nekdo zkusenost? Prijde mi az dost levna...

Dokonce jsem ji nasel i se 130W zdrojem za 1 500 Kc vcetne dopravy. To vypada opravdu skvele.

77

Hardware / Re:Dokovací stanice na dva monitory. USB-C, nebo Thunderbolt3?

« kdy: 02. 02. 2019, 16:22:53 »

Neni to sice z kategorie “za pet kacek z ali expresu”, ale Lepsi pravdepodobne nesezenes. V tomhle nema smysl setrit.

7 kKc  je dost. Obzvlast kdyz bych si rad koupil 3 kusy.

Zkusim pogooglit neco levnejsiho na TB3.

A co se tyka USB-C, tak je nesymsl mit dva monitory? Jde vzdy jen jeden diky displayportu pres usb-c?
Nevyznam se v tom, proto se ptam.

78

Hardware / Dokovací stanice na dva monitory. USB-C, nebo Thunderbolt3?

« kdy: 02. 02. 2019, 11:46:57 »

Ahoj,


Tl;DR:

• Da se pres USB-C pripojit dva digitalni FullHD monitory, nebo potrebuji Thunderbolt3?
• Jaka nejlevnejsi dokovaci stanice (klidne z ciny), ma 2x digitalni FullHD vystup a 1x Gb ethernet a par USB?

poohlizim se po novem notebooku, kterym bych nahradil stary Lenovo ThinkPad X220.
K X220 mam tri dokovaci stanice a u kazde dva 24" (na jednom miste 2x 27") FullHD monitory. Nemuzu si to vynachvalit. Desktop nechci, abych nemusel resit synchronizaci dat. Ale Sandy Bridge uz je proste stary...

Idelane co nejmensi a nejlehci notebook. Vzhled a rozliseni me netrapi, 95% casu je notebook v dokovacich stanicich.

Vaham nejvic mezi:

• Lenovo ThinkPad L480
• Dell XPS 13

ale potreboval bych poradit s dokovaci stanici, bez ktere nechci/nedokazu fungovat.

Urcite chci USB-C Power Delivery, abych do notebooku pripojoval pouze jeden kabel i s napajenim.

Oba notebooky, o kterych uvazuji maji Thunderbolt 3, ale stale nevim, jestli je to pro me nutnost.

Za 250 Kc se da koupit adapter z USB-C na 1x USB3, 1X HDMI a 1x USB-C.
To je neskutecne levna cena.
Predpokladam, ze jen staci, aby notebook umel USB-C DisplayPort Alt Mode.
Casto se chlubi 4k, ale to je mi na nic. Ja potrebuju 2x digitalne 1920x1080.
Nebo sa daji dat dva tyto levne adaptery do serie? Pochybuji, tekzo by to slo.

Na USB-C se mi nepodarilo najit adpater na 2 digitalni monitory. Nektere drazsi maji HDMI, DVI-D a VGA. Ovsem vetsinou jde soucasne VGA a jeden digitalni. Nikdy vsak oba digitalni.

Takze chapu spravne, ze potrebuji Thunderbolt3 dokovaci stanici pro dva digitalni video vystupy?
Zadne moje monitory DipslayPort daisy-chain neumi.

Sice jsem nasel levne Thunderbolt3 dokovaci stanice, ale opet maji jen jeden (sice 4k, ale na co?) digitalni vystup na monitor.

stanice s podporou 2 digitalnich monitoru vyjde na 4 400 Kc. Coz je dost, kdyz chci tri dokovaci stanice...

• Da se pres USB-C pripojit dva digitalni FullHD monitory, nebo potrebuji Thunderbolt3?
• Jaka nejlevnejsi dokovaci stanice (klidne z ciny), ma 2x digitalni FullHD vystup a 1x Gb ethernet a par USB?

Dekuji za rady.

79

Sítě / Re:IPsec server na Linuxu pro MikroTik klienty

« kdy: 05. 11. 2018, 11:42:08 »

Tak jsem upravil config, aby v nem nebyl XAUTH, ale chyba je stale stejna:

Kód: [Vybrat]

     # cat /etc/ipsec.secrets 
%any %any : PSK : "testABC"
%any %any : XAUTH : "testABC"

Kód: [Vybrat]

    # cat /etc/ipsec.conf 
config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2" 
    uniqueids=no

conn wtf
	type=transport
        pfs=no
        rekey=no
        keyingtries=1
        left=%any
        leftprotoport=udp/l2tp
        leftid=@88.86.113.219
        right=%any
        rightprotoport=udp/%any
        auto=add
	keyexchange=ikev1
	leftauth=psk
	rightauth=psk

Nejaky napad, co jeste upravit?

80

Sítě / Re:IPsec server na Linuxu pro MikroTik klienty

« kdy: 05. 11. 2018, 10:26:26 »

Aktualne zkousim tento ipsec server config https://forum.root.cz/index.php?topic=19874.msg294389#msg294389

a v mikrotiku pouzivam ppp->interface->l2tp client a vyplnim tu tabulku. Nic jineho jsem v mikrotiku nenastavoval a porad stejna chyba:

Kód: [Vybrat]

Nov  5 10:23:29 vpn charon: 03[NET] waiting for data on sockets
Nov  5 10:23:29 vpn charon: 06[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Nov  5 10:23:29 vpn charon: 06[ENC] invalid ID_V1 payload length, decryption failed?
Nov  5 10:23:29 vpn charon: 06[ENC] could not decrypt payloads
Nov  5 10:23:29 vpn charon: 06[IKE] message parsing failed

81

Sítě / Re:IPsec server na Linuxu pro MikroTik klienty

« kdy: 05. 11. 2018, 00:09:29 »

Tak jsem zacal misto samotneho IPsec zkouset L2TP/IPsec a stale bez uspechu.

Me configy:

Kód: [Vybrat]

root@vpn:/# cat /etc/ipsec.conf 
config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    uniqueids=no

conn wtf
    type=transport
    pfs=no
    rekey=no
    keyingtries=1
    left=%any
    leftprotoport=udp/l2tp
    leftid=@88.86.113.219
    right=%any
    rightprotoport=udp/%any
    auto=add
    aggressive=yes
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    leftauth2=xauthpsk
    rightauth2=xauthpsk

Kód: [Vybrat]

root@vpn:/# cat /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 88.86.113.219

[lns default]
ip range = 10.10.100.10-10.10.100.250
local ip = 10.10.100.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = TEST_VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Kód: [Vybrat]

root@vpn:/# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Stale vsak vidim jen tuto chybu:

Kód: [Vybrat]

Oct 31 15:27:41 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:41 vpn charon: 14[NET] received packet: from 77.78.90.200[500] to 88.86.113.219[500] (364 bytes)
Oct 31 15:27:41 vpn charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[IKE] remote host is behind NAT
Oct 31 15:27:41 vpn charon: 14[CFG]   candidate "wtf", match: 1/1/28 (me/other/ike)
Oct 31 15:27:41 vpn charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500] (372 bytes)
Oct 31 15:27:41 vpn charon: 04[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500]
Oct 31 15:27:42 vpn charon: 03[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500]
Oct 31 15:27:42 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:42 vpn charon: 16[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Oct 31 15:27:42 vpn charon: 16[ENC] invalid ID_V1 payload length, decryption failed?
Oct 31 15:27:42 vpn charon: 16[ENC] could not decrypt payloads
Oct 31 15:27:42 vpn charon: 16[IKE] message parsing failed
Oct 31 15:27:42 vpn charon: 16[ENC] generating INFORMATIONAL_V1 request 3597591477 [ HASH N(PLD_MAL) ]

Hesla jsem kontroloval asi 10x.

Klientem je Mikrotik hAp lite.

Uz jsem uplne bezradny :-(

Uvitam jakykoliv tip, jak rozjet funkcni kombinaci L2TP/IPsec server na linuxu a Mikrotik klientu.

Radsi bych mel overovani certifikaty, ale preziju i IPsec PSK (klikatko na vpn ve winboxu mic jineho nenabizi) a jmena+hesla na L2TP.

82

Server / HP LaserJet - vyčítání počtu vytištěních stránek přes SNMP

« kdy: 29. 10. 2018, 12:58:08 »

Ahoj,
mam tu dve tiskarny:

• HP Color LaserJet Pro MFP M176n
• HP Color LaserJet MFP M280nw

a potrebuju u nich hlidat zabbixem pocet vytisknutych stranek. Jde mi hlavne o sledovani zmeny v case.

Zde jsou kompletni vystupy snmpwalk: https://gist.github.com/tuxmartin/494770920a3ae9ca6e5ef328c308c593

Kdyz se ptam na iso.3.6.1.2.1.43.10.2, tak mi neco vrati jen novejsi tiskarna M280. Stara M176 nevraci vubec nic.

Kód: [Vybrat]

martin@martin:~$ snmpwalk -v 1 -mALL -c public 10.67.1.7 iso.3.6.1.2.1.43.10.2 # HP_M176n
martin@martin:~$

martin@martin:~$ snmpwalk -v 1 -mALL -c public 10.67.1.16 iso.3.6.1.2.1.43.10.2 # HP_M280nw
Printer-MIB::prtMarkerMarkTech.1.1 = INTEGER: electrophotographicLaser(4)
Printer-MIB::prtMarkerCounterUnit.1.1 = INTEGER: impressions(7)
Printer-MIB::prtMarkerLifeCount.1.1 = Counter32: 6
Printer-MIB::prtMarkerPowerOnCount.1.1 = Counter32: 1
Printer-MIB::prtMarkerProcessColorants.1.1 = INTEGER: 1
Printer-MIB::prtMarkerSpotColorants.1.1 = INTEGER: 0
Printer-MIB::prtMarkerAddressabilityUnit.1.1 = INTEGER: tenThousandthsOfInches(3)
Printer-MIB::prtMarkerAddressabilityFeedDir.1.1 = INTEGER: 600
Printer-MIB::prtMarkerAddressabilityXFeedDir.1.1 = INTEGER: 600
Printer-MIB::prtMarkerNorthMargin.1.1 = INTEGER: 1667
Printer-MIB::prtMarkerSouthMargin.1.1 = INTEGER: 1667
Printer-MIB::prtMarkerWestMargin.1.1 = INTEGER: 1667
Printer-MIB::prtMarkerEastMargin.1.1 = INTEGER: 1667
Printer-MIB::prtMarkerStatus.1.1 = INTEGER: 0
martin@martin:~$

Pritom obe tiskarny mi ve webove adminsitrace na http://IP.AD.RE.SA/info_configuration.html zobrazuji pocty stran (obrazek v priloze).

Existuje nejaka moznost, jak nastavit tiskarnu, aby pres SNMP tyto informace poskytovala?
Nebo mam smulu a musim zkusit reseni typu curl+grep?

83

Sítě / Re:IPsec server na Linuxu pro MikroTik klienty

« kdy: 23. 10. 2018, 13:05:11 »

v konfigu /etc/ipsec.conf vidim preklep v IKE proposal

    ike=aes128-saha256-ecp256,aes256-sha384

Diky za tip. Opraveno, ale stejne nepomohlo :-(

84

Sítě / Re:IPsec server na Linuxu pro MikroTik klienty

« kdy: 20. 10. 2018, 01:07:14 »

no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
skipped invalid proposal string: aes128-saha256-ecp256

Toho jsem si vsiml, jen zatim nevim, jak to opravit.

1. Kľudne môžeš použiť UDP v OpenVPN cez TCP. Samozrejme, môže sa to zdať pocitovo pomalšie/horšie, lebo bude cez VPN pretláčať všetky pakety, ale ja to tak mám väčšinou na ADSL linkách (Mikrotik u klienta) a rozdiel oproti priamemu UDP spoju som nepostrehol.

2. Aj cez to, že píšeš že sa tomu chceš vyhnúť, odporúčam použiť L2TP/IPsec - je to jednoduchšie, je to L3, pôjde ti cez to VoIP a pôjde to bez problémov na Androide/iOS/ROS.

1)
Why TCP Over TCP Is A Bad Idea - http://sites.inka.de/bigred/devel/tcp-tcp.html
ale SIP je jen "upravene html", takze to by zas tolik nevadilo.
Problem je RTP. Nemuzu pouzit TCP VPN. Resil jsem to i na odorik.cz foru a opravdu neni dobry napad tunelovat RTP stream VoIP hovoru skrz TCP tunel. Durazne mi doporucili to nedelat.

2)
L2TP/IPsec - mozna to nakonec tak skonci.
Mas nejaky overeny config/navod, jak nastavit mnou pozadovane?

85

Sítě / IPsec server na Linuxu pro MikroTik klienty

« kdy: 19. 10. 2018, 22:20:03 »

Ahoj,
snazim se uz druhym dnem rozjet na Linuxu IPsec server. Do te doby jsem s IPsec nikdy nedelal.

Pouzil jsem strongSwan, ktery ma balicky v Debianu a Ubuntu.
Mam Ubuntu 18.04 a strongSwan 5.6.2.

Dalo mi dost prace rozchodit IKEv2 s databazi uzivatelu a IP poolem ve FreeRADIUSu, ale nakonec se podarilo (funkcni je sekce "conn ikev2-vpn").
Pro strongSwan pouzivam Let's Encrypt certifikat.
Bohuzel jak jsem zjistil, oficialni strongSwan app na Androidu funguje, ale MikroTik se k tomutu typu IPsec pripojit neumi (integrovany Android VPN klient ake ne).

Takze se snazim rozchodit strongSwan, aby byl IPsec serverem pro MikroTik (hAp lite) klienty.
Idealne bych se rad vyhnul klientskym certifikatum a pouzil jenom jmeno+heslo. Bylo by to mnohem snazsi na nastavovani MikroTiku.

Me snazeni je v sekci "conn xauth-ikev1-mikrotik". Jenze MikroTik se nedokaze pripojit, stale do logu sype tyto chyby:

Kód: [Vybrat]

       #  tail -F /var/log/syslog | grep "ipsec\|charon"
Oct 19 18:13:51 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:13:51 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:13:51 vpn charon: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:13:51 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:13:51 vpn charon: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:13:51 vpn charon: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:13:51 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:13:51 vpn charon: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:13:51 vpn charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:13:51 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:02 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:02 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:02 vpn charon: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:02 vpn charon: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:02 vpn charon: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:02 vpn charon: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:02 vpn charon: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:02 vpn charon: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:02 vpn charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:02 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:12 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:12 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:12 vpn charon: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:12 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:12 vpn charon: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:12 vpn charon: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:12 vpn charon: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:12 vpn charon: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:12 vpn charon: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:12 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:23 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:23 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:23 vpn charon: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:23 vpn charon: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:23 vpn charon: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:23 vpn charon: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:23 vpn charon: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:23 vpn charon: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:23 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:23 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:34 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:34 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   sha256_96=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   mediation=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   keyexchange=ikev2
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] algorithm 'saha256' not recognized
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] skipped invalid proposal string: aes128-saha256-ecp256
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[5] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn charon: 14[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn charon: 14[IKE] IKE_SA (unnamed)[6] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:55 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:55 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:55 vpn charon: 05[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:55 vpn charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:55 vpn charon: 05[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:55 vpn charon: 05[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:55 vpn charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:55 vpn charon: 05[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:55 vpn charon: 05[IKE] IKE_SA (unnamed)[7] state change: CREATED => DESTROYING
Oct 19 18:14:55 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:15:05 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:15:05 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:15:05 vpn charon: 12[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:15:05 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:15:05 vpn charon: 12[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:15:05 vpn charon: 12[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:15:05 vpn charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:15:05 vpn charon: 12[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:15:05 vpn charon: 12[IKE] IKE_SA (unnamed)[8] state change: CREATED => DESTROYING
Oct 19 18:15:05 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]

StrongSwan mam vcetne vsech radius pluginu:

Kód: [Vybrat]

apt-get install strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins

Zde jsou me configy:

Kód: [Vybrat]

           # cat /etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2" 

    uniqueids=no
    # allow multiple connections from a given user

conn xauth-ikev1-mikrotik
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev1

    rekey=no
    left=%any
    leftid=muj.vpn.server.cz
    leftauth=psk

    leftcert=/etc/strongswan_certs/cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
 
    rightauth=psk
    rightauth2=xauth-radius
    xauth=server
    authby=xauthpsk

    rightsourceip=%radius
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity


    ike=aes128-saha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!


conn ikev2-vpn
    auto=add
    # On strongSwan startup, load this connection and then wait for clients to connect to it (auto=add)

    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes

    dpdaction=clear
    dpddelay=300s
    dpdtimeout=1800s
    # Enable Dead Peer Detection (DPD), which periodically checks that the
    # client is still responding and if it's not then the IKEv2 session and the IPsec tunnel are cleared.

    ike=aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
    # List our acceptable encryption and message-integrity algorithms, for the authentication and key exchange process.

    rekey=no
    left=%any
    leftid=muj.vpn.server.cz
    leftauth=pubkey

    leftcert=/etc/strongswan_certs/cert.pem
    # Must only contain our public key, not the complete certificate chain!

    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    rightsourceip=%radius
    
    #rightsourceip=10.10.10.1-10.10.10.150    
    # rightsourceip=192.0.2.0/25,2001:db8::/96
    # Assign each client dynamic addresses from an IPv4 and an IPv6 pool.
    # The first and last addresses in each subnet will not be use
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity
    # Allow any defined user to connect (provided they're present in ipsec.secrets).


# static IPs are not excluded from the pool you configured in ikev2-vpn !!!!!!!!
#
#  And if this static config selection works will also depend on the client.
#  If the IKE identity is not the same as the EAP-Identity a match on rightid won't
#  be possible (our Android app sets both to the same value, but e.g. the Windows 
#  IKEv2 client does not)
conn static_ip___staticuserX
    also=ikev2-vpn
    #the parameters of that section are inherited by the current section
    rightid=staticuserX
    rightsourceip=10.10.10.200/32
    auto=add

Kód: [Vybrat]

                  # cat /etc/ipsec.secrets 
: RSA "/etc/strongswan_certs/key.pem"
: PSK : "secret123"

Kód: [Vybrat]

        # cat /etc/strongswan.d/charon.conf 
charon {
  plugins {
    eap-radius {
      servers {
        primary {
          address = 127.0.0.1
          secret = testing123
          nas_identifer = ipsec-gateway
          sockets = 20
          preference = 99
        }
      }
    }
    xauth-eap {
      backend = radius
    }
  }
}

Kód: [Vybrat]

            # cat /etc/freeradius/3.0/users 
DEFAULT		Pool-Name		:=	main_pool
		Fall-Through		=	Yes

"testuser"	Cleartext-Password	:=	"123456789"

"teststatic"	Cleartext-Password	:=	"123456789"
		Framed-IP-Address	:=	10.10.10.199,
		Framed-IP-Netmask	:=	255.255.255.0

V MikroTiku jsem se snazil nastavit VPN pomoci:

Kód: [Vybrat]

/ip ipsec peer> add address=6.7.8.9/32 auth-method=pre-shared-key-xauth secret=secret123 xauth-login=testuser xauth-password=123456789

Dokazal by mi nekdo poradit, jak nastavit StrongSwan, aby fungoval, jako IPsec VPN server pro MikroTik klienty?
Rad bych se vyhnul certifikatum, ale jenom spolecne PSK heslo pro vsechny se mi nelibi.

Neni nejaky kompromis, jako PSK + jmeno a heslo k tomu? V MikroTiku mozna secret + xauth-login + xauth-password?
Neco podobneho jsem videl v Android VPN klientovi "IPsec Xauth PSK" - mimochodem take se nepripoji.

Staci mi L3 VPN, proto se mi zda zbytecne pouzivat L2TP/IPsec.
VPN bude slouzit primarne pro VoIP (SIP), takze kazda vrstva, ktera nebude je dobra. VoIP bude mit dalsi zabezpeceni, proto bych se uplne nebal ani Xauth IKEv1, od ktereho jsem byl tak zrazovan .
A VPN musi byt kvuli VoIP UDP - jinak bych pouzil OpenVPN, se kterou mam vyborne zkusenosti - ale MikroTik ji umi jen v TCP rezimu :-(

86

Hardware / Jaký hardware na současné přehrávání čtyř H.264 (Full)HD streamů?

« kdy: 27. 09. 2018, 20:31:17 »

Ahoj,
potrebuji prehravat soucasne 4x H.264 video streamy a to FullHD, pripadne kdyby to neslo, tak staci i HD.
Video se bude zobrazovat pres pripojeny HDMI monitor.

Je realne, ze by to dokazal prehravat Intel NUC s Celeron N3060, nebo Celeron J4005?
https://www.czc.cz/intel-nuc-kit-7cjyh/237517/produkt
https://www.czc.cz/intel-nuc-5cpyh/175170/produkt

Mam trochu obavu o integrovanou grafiku. Sice umi hardwarove dekodovat H.264, ale nevim, jestli to neplati jen pro jeden stream.

Jak to resi treba cinske prehravace bezpecnostnich kamer? Maji na to specialni hardware?
Ale nic takoveho stejne pouzit nemuzu.

Takze je realne, ze bude stacit obycejny Intel NUC kolem 3 000 Kc? Pripadne jaky rozumne levny PC to zvladne?

Diky.

87

Software / Re:Poradte email ticket system

« kdy: 31. 07. 2018, 00:21:45 »

Diky za tip na Request tracker - vyzkousim.

Mam kazdodenni zkusenosti s TeamWork Desk, takze se neubranim vsechno si s nim srovnavat.

Kdyz si preskacete v rychlosti video na http://support.teamwork.com/desk/inboxes/inboxes-an-overview tak podobny system se mi libi. Vlevo vidim jednotlive emailove schranky (jako v Thunderbirdu) a po kliknuti na kazdou z nich vidim slozky (nove/vyresne/zavrene/spam/...).
Neco podobneho open source asi tezko najdu...

88

Software / Poraďte e-mail ticket systém

« kdy: 30. 07. 2018, 15:28:30 »

Ahoj,
shanim aplikace na spravu vetsiho mnozstvi emailu. Budou mi tam z 99% chodit generovane maily ze serveru a ruznych sluzeb. Odpovidat na maily budu minimalne.

Libilo by se mi neco jako:
- TeamWork Desk (https://www.teamwork.com/desk)
- HelpScout (https://www.helpscout.net/)

Melo by to umet vice uzivatelu a prirazovani mailu mezi nimi, dale nejake API.

Idealne abych to mohl provozovat na svem serveru. Dulezita je pro me cena. Nechce se mi platit mesicni poplatky za pocet uzivatelu.
Hlavne musi jit napojit vetsi mnozstvi mailovych schranek a snadno mezi nimi rozlisovat - ne mit vsechny maily pohromade.
Nejlepe webove rozhranni. Desktop aplikaci nechci.

Zatim jsem zkousel osTicket (http://osticket.com/) a ve srovnani s TeamWork Desk a HelpScout je to nepouzitelne.
Prave se chystam zkouset OTRS (https://otrs.com/).

Znate nejaky dobry program, ktery by splnoval me pozadavky?

89

Server / Re:Webové rozhraní k syslog-ng

« kdy: 17. 06. 2018, 12:24:52 »

V soucasne dobe mi dava nejvetsi smysl https://www.graylog.org/
Mame ho na hodne serverech a naprosta spokojenost.

90

Vývoj / Re:GPG - overeni podpisu promennych misto souboru

« kdy: 13. 05. 2018, 01:17:36 »

Tak jsem problem trochu obesel a timto to prohlasuju za hotove:

Kód: [Vybrat]

gpg --export -u 896F4A1D > public.gpg
gpg -u 896F4A1D -a --clearsign --output test.sh.asc test.sh

cmd=$(curl -s http://localhost:8080/test.sh.asc | gpg --no-default-keyring --keyring ./public.gpg --decrypt 2> /dev/null); [ $? -eq 0 ] && echo "$cmd" | bash || echo "gpg_verify_error"