Basically it provides a layer of security and privacy for most TCP based applications, like IM, web browsing, etc, even DNS requests are passed through Tor. Most importantly, it provides you with access to sites that are filtered off by your ISP transparent proxies.

Tor allows your traffic to be re-route all around the internet anonymously via a complex network of virtual tunnels. An overview of Tor can be found here and a detailed FAQ on Onion Routers here.

My blog entry today is: how to enable your JanusVM to work in a corporate network whereby your firewall blocks most of the outgoing ports except http and https.

You can tell Tor to only use the ports that your firewall permits by adding the following to your torrc configuration file.

FascistFirewall 1

ReachableDirAddresses *:80
ReachableORAddresses *:443

Update:

The latest beta version of Tor uses the following instead of the above

ReachableAddresses *:80

I was configuring a Lan-to-Lan VPN between 2 Cisco ASA5510. After going through the wizard, I actually changed the Group Tunnel Name to a more meaningful name rather than just ip address. Didn’t realise the impact till I can’t get the stupid tunnel up.

I did a debug crypto isakmp 255 and it starts throws out every damn low level stuff at me after i entered “terminal monitor”…
After going through the debug logs, I realised that isakmp fails as the group name is invalid. On that actual debug statement, it stated the group name is the ip address of my vpn peer.

Now that’s weird. I remembered in PIX 6.0, the syntax for creating the tunnel is crypto map tunnel-name, where the name doesn’t *MATTERS*. So I checked the configuration guide for ASA 7.0.

“Tunnel group name: Both remote access and LAN-to-LAN clients select a tunnel group by its
name, as follows:
- For IPSec clients that use preshared keys to authenticate, the tunnel group name is the same as
the group name that the IPSec client passes to the security appliance.”

So I configured tunnel-group type ipsec-l2l.

Viola… a wasted morning.

I have a server connecting to the PIX DMZ interface with the IP of 172.17.1.1. This server is translated to an Inside IP 10.1.1.1 and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the 10.1.1.1 IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

This is the static statement.
static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255

My Networks
Inside : 10.1.1.0/24
DMZ : 172.17.1.0/24
VPN Pool : 192.168.0.0/24

I posted this question at Cisco NetPro forum, and I got this reply,

“static (dmz,inside) 10.1.1.1 172.17.1.1 netmask 255.255.255.255

as the command sugguested, the translation is between the dmz and the inside interfaces. it only works when the packet originated from the inside, not the vpn clinet from the outside.”

So I concluded that the VPN clients are connecting from the outside interface and the static command i used is only for host on the inside interface.

I still wondering is there a way of writing my ACL, traffic from outside to dmz have a different translation but I have already translated dmz to outside with another static command. So… help?

Guess what.. PDM won’t work with the above commands. The error I got was: “PDM do not support multiple uses of access list”

oohh.. man. I created the same ACL again but with another name and use it for the crypto.

Tricky things uncovered.
According to the documentation provided on how the L2TP is to be configured:

vpdn enable

!

vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname BB-GGSN1
local name CPE-L2TP-Router
l2tp tunnel password 0 secret
!

interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool l2tp-pool01
ppp authentication pap
!

ip local pool l2tp-pool01 10.9.2.201 10.9.2.220

For the curious souls like me, how the hell the router knows who’s BB-GGSN1.. so I added:

ip host BB-GGSN2 202.x.x.x2
ip host BB-GGSN1 202.x.x.x1

So the router is done but I still wondering, who’s going to auth all PAP request ?

PIX as follows:

access-list 90 permit ip host 203.x.x.x host 202.x.x.x6
nat (inside) 0 access-list 90
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set transformset-strong esp-3des esp-sha-hmac
crypto ipsec transform-set transformset-strong mode transport
crypto dynamic-map dyna 20 match address 90
crypto dynamic-map dyna 20 set transform-set transformset-strong
crypto map site-map 10 ipsec-isakmp dynamic dyna
crypto map site-map interface outside
isakmp enable outside
isakmp key ******** address 202.x.x.x6 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

The tunnel just don’t get up.

I did a debug.
debug crypto ipsec
debug crypto isakmp

The debug shows proxy identities mis-matched, the error code is IKMP_ERR_NO_RETRANS
I poke around with the error and change my access-list address. So I realised I had a typo and it causes the SA negotiation to fail.

access-list 90 permit ip host 203.X.X.X host 202.X.X.X1
access-list 90 permit ip host 203.X.X.X host 202.X.X.X2

This ACL not only tells what traffic needed to be protected by IPSec but somehow it identify the peers on both side of the tunnel’s end point. I have to read up on this as this is kind of new to me. Usually site to site configuration always have both network address for the ACL.

So far, the tunnel seems to be up. I have yet to test the VPN tunnels as the user can’t seems to access the provider’s network at this moment.

Both the show statement shows positive results.
show crypto ipsec sa
show crypto isakmp sa

I’m still curious, I didn’t configured any radius server to auth the PAP users.

This is my first post for documentation.
Lengthy.

Useful Links
Cisco Explaination on L2TP

Cisco Guide to Configuring Site to Site IPSec for PIX