- strongswan would enumerate all the available transform in the first IKE_SA_INIT. But it might be too much and there are some that are not recognizable by Cisco SeGW, and SeGW will just drop it and no response.....
ike=aes128-sha1-prfsha1-Cisco SeGW reports:
modp1024,aes256-sha1-prfsha1- modp1024,3des-md5-prfmd5- modp1024,3des-sha1-prfsha1- modp1024,des-sha1-prfsha1- modp1
Too Many Transforms: 110And dump the packet at Cisco show something like:
(........a lot of transforms.........)
Transform Header #39Last (U08): Yes/0 (0x00)Reserved (U08): 0Transform Length (U16): 8 (0x8) bytesTransform Type (U08): DHGROUP/4 (0x04)Reserved (U08): 0Transform ID (U16): UNKNOWN/30 (0x001E)
- By default the mobike is enabled in strongswan, while Cisco SeGW doesn't support it. The tunnel is created without any problem. However, all packets encrypted with ESP is received by SeGW, but "somehow" not recognized. For example, encrypted ping request is received by SeGW, but not decrypted and is dropped.
And on strongswan PC, all encrypted ping from SeGW is not received.
FIX: Disable mobike will fix this issue.
3GPP specification: 32.593
LTE; Telecommunication management; Home enhanced Node B (HeNB) Operations, Administration, Maintenance and Provisioning (OAM&P); Procedure flows for Type 1 interface HeNB to HeNB Management System (HeMS) (3GPP TS 32.593 version 11.0.0 Release 11)
泰雅族歡樂歌 Rimuy Sola Rimuy Yo
Ri muy so la ri muy yo
ri muy so la ri muy yo
ri muy so la ri muy yo
ya ba ya ya ya ki
p q(k)a sun(saw) ta ryax soni
p g(t)a sun(saw) ta
p q(k)a sun(saw) ta
(g)u tux ryan so ni
Freezing Your Code — The Hitchhiker's Guide to Python
How can I create a stand-alone binary from a Python script?
What is the Python freeze process? - Stack Overflow
30.1. imp — Access the import internals — Python 2.7.8 documentation
Freeze - Python Wiki
python/freeze.py at master · python-git/python · GitHub
[projects] Index of /python/trunk/Tools/freeze
ubuntu - Error in using Python freeze.py - Stack Overflow
- sudo apt-get install python2.7-examples
The one mark in red is the freeze.py we need.
dpkg -S freeze.py
- sudo ln -s /usr/lib/python2.7/config-x86_64-linux-gnu/ /usr/lib/python2.7/config
- python /usr/share/doc/python2.7/examples/Tools/freeze/freeze.py test.py
- If make finished successfully, the executable binary should be available at ./test.
cxfreeze script — cx_Freeze 5.0 documentation
Disk encryption - ArchWiki
dm-crypt/Encrypting an entire system - ArchWiki
Comparison of disk encryption software - Wikipedia, the free encyclopedia
3.2.4. LUKS Disk Encryption
How To Use DM-Crypt to Create an Encrypted Volume on an Ubuntu VPS | DigitalOcean
Busybox uses softlimit to set RLIMIT_CORE.
sysctl -w "kernel.core_pattern=/var/cores/%h-%e-%p.core"; mkdir /var/cores -p;
sysctl -w "kernel.core_pattern=/core";
sysctl -w "kernel.core_pattern=/tmp/core-%e-%s-%u-%g-%p-%t";
sysctl -w "kernel.core_uses_pid=1";
sysctl -w "fs.suid_dumpable=2";
mount -t tmpfs tmpfs /tmp;
softlimit -c 1048576 /mnt/app/test &
killall -11 test
kill -s SIGSEGV 8257
ls -al /var/cores
ls -al /tmp
Linux Applications Debugging Techniques/Core files - Wikibooks, open books for an open world
HowTo: Debug Crashed Linux Application Core Files Like A Pro - nixCraft
core(5) - Linux manual page
How to: Enable/Generate/Debug Core Dump In Linux? » IT Sprite
linux - Who generate a core dump file? Kernel or glibc? - Stack Overflow
Linux: Understanding how much is malloc'ed in a coredump (Kevin Grigorenko's IBM WebSphere SWAT Blog)
kernel/git/torvalds/linux.git - Linux kernel source tree
coredump: make core dump functionality optional
How to handle SIGSEGV, but also generate a core dump - Alex on Linux
echo 1 > /proc/sys/kernel/sysrq #enable SysRq
echo c > /proc/sysrq-trigger #trigger Crash
Magic SysRq key - Wikipedia, the free encyclopedia
linux - core dump not generated - Stack Overflow
google-coredumper - A neat tool for creating GDB readable coredumps from multithreaded applications - Google Project Hosting
eCrash: Debugging without Core Dumps | Linux Journal
Embedded Crash Handler | Free software downloads at SourceForge.net
Documentation for Kdump - The kexec-based Crash Dumping Solution
[Ubuntu] Kernel Crash Dump
[Fedora] How to use kdump to debug kernel crashes - FedoraProject
[Red Hat] A quick overview of Linux kernel crash dump analysis
[Red Hat] Crash
Linux Kernel Crash Book
It's solved for me by setting it to non-zero:
sshd:"PASSWORD":1:0:99999:7:::Or run the following every time after useradd or passwd:
sed -e 's/^\([^:]*:[^:]*:\)0:/\11:/' /etc/shadow -iIs it because busybox passwd always update the "last changed" field to 0?
No, it's because the System time is not set correctly.
/* "name:" + "new_passwd" + ":" + "change date" + ":rest of line" */So if system time is not set correctly, "last changed" field will always be 0 at the first day, and SSH will always asking for changing passwd.
fprintf(new_fp, "%s%s:%u%s\n", name_colon, new_passwd,
(unsigned)(time(NULL)) / (24*60*60), cp);
Use date to update the system should fix this issue:
date -s 201401010000.00This is not even busybox related. It might happened on any PC, just PC has battery and RTC and rarely lost the time.
lib.uclibc.buildroot - Re: sshd always wants to change password - msg#00125 - Recent Discussion OSDir.com
> >Here is the entry from my shadow file:
> set the last changed field to non-null
Linux Password & Shadow File Formats
smithj:Ep6mckrOLChF.:10063:0:99999:7:::As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:
- Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.
- Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.
- The number of days (since January 1, 1970) since the password was last changed.
- The number of days before password may be changed (0 indicates it may be changed at any time)
- The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)
- The number of days to warn user of an expiring password (7 for a full week)
- The number of days after password expires that account is disabled
- The number of days since January 1, 1970 that an account has been disabled
- A reserved field for possible future use
夜宿海生館 : 活動介紹
[wiki] Certificate Management Protocol (CMP)
CMP patch for OpenSSL by Martin Peylo
(2008.02.26)Re: CMPV2 - ReadList.com
CMP patch for OpenSSL | Free Security & Utilities software downloads at SourceForge.net
An implementation of the Certificate Management Protocol (CMP) version 2, defined in RFC 4210, as a patch for OpenSSL. Long term goal is to provide an RFC compliant implementation and proof of concept client - and then offer it to the OpenSSL project
[wiki] Abstract Syntax Notation One (ASN.1)
compiler - what does it mean "compile asn.1"? - Stack Overflow
An ASN.1 specification describes messages that you would like to exchange with other machines. It does this in a manner that is independent of programming language or computer architecture. This means that to use the ASN.1 specification, a tool is needed to "compile" that ASN.1 specification, checking for syntax errors and some kinds of semantic errors before generating code for your target machine architecture in your target programming language to encode and decode the messages from the ASN.1 specification. Note that ASN.1 compilers generate C stuctures, Java classes, or C++ classes in addition to generating code for encoding and decoding messages based on the generated structures.ASN.1 Playground: free online compiler, encoder/decoder
There is an excellent place to see an play with this process without dealing with actual generated code. There is an online ASN.1 compiler and runtime engine at http://asn1-playground.oss.com where you can compile ASN.1 specifications and encode/decode messages without writing any code in a target programming language.
asn1c: Lev Walkin → ASN.1 Exposed
OSS Nokalva, Inc. — ASN.1 - Download Free Trial
Sources for Time Zone and Daylight Saving Time Data
Olson database of timezones in posix.1 format
Zoneinfo contains historic and future timezone information and is notPOSIX and Olson time zone formats
limited to two offset values each year, or to algorithmic rules for
deciding when to change, which is why you can only substitute Posix format
code over limited time periods where those assumptions are valid.
If you want to enumerate all the possible timezone codes used by the
Olsen package, you should look at the source code for the rules.
Even if you don't have the source of the tables (which is free to download),
you can use zdump to enumerate all the changes for a particular file.
AIX Health Check - Olson time zone support
One of the biggest advantages is that Olson database maintains a historical record of what the time zone rules were at given points in time, so that if the rules change in a particular location, dates and times can be interpreted correctly both in the present and past. A good example of this is the US state of Indiana, which just began using daylight saving time in the year 2006. Under the POSIX implementation, Indiana would have to set its time zone value to EST5EDT, which would format current dates correctly using daylight saving time, but would also format times from previous years as though they were on daylight saving time, which is incorrect. Use of the ICU API set for time zones also allows for localized display names for time zones. For example, Central Daylight Saving Time would have an abbreviation of CDT for all locales under a POSIX implementation, but under ICU/Olson, it displays properly as HAC (Heure Avancée du Centre) in a French locale.tz database - Wikipedia, the free encyclopedia
time - organization of zoneinfo folder - Ask Ubuntu
dpkg - How do I change my timezone to UTC/GMT? - Ask UbuntuIf you install the
tzdatasource package, you will find all your answers:
sudo apt-get install apt-src mkdir tzdata && cd tzdata apt-src install tzdata
posix and right:
Two different versions are provided: - The "posix" version is based on the Coordinated Universal Time (UTC). - The "right" version is based on the International Atomic Time (TAI), and it includes the leap seconds.Etc:
These entries are mostly present for historical reasons, so that people in areas not otherwise covered by the tz files could "zic -l" to a time zone that was right for their area. These days, the tz files cover almost all the inhabited world, and the only practical need now for the entries that are not on UTC are for ships at sea that cannot use POSIX TZ settings.EST5EDT, ...:
GB, GB-Eire, GMT, GMT+0, GMT-0, GMT0, NZ, NZ-CHAT, PRC, ROC, ROK, UCT, UTC are there because the time zone names changed:
This file provides links between current names for time zones and their old names. Many names changed in late 1993.CET, CST6CDT, EET, EST, EST5EDT, HST, MET, MST, MST7MDT, PST8PDT, WET are there for backwards compatibility.
From Arthur David Olson, 2005-12-19 We generate the files specified below to guard against old files with obsolete information being left in the time zone binary directory. We limit the list to names that have appeared in previous versions of this time zone package. We do these as separate Zones rather than as Links to avoid problems if a particular place changes whether it observes DST. We put these specifications here in the northamerica file both to increase the chances that they'll actually get compiled and to avoid the need to duplicate the US rules in another file.
How to change timezone on Linux server? | Linux cPanel WebHosting Blog
$ date Wed Jul 16 22:52:47 EDT 2014 $ cat /etc/timezone America/New_York $ sudo dpkg-reconfigure tzdata $ service cron stop && service cron start
root@admin[~]#dateUbuntuTime - Changing the Time Zone
Wed Nov 11 19:30:29 EST 2009
For example we are changing time zone from EST to GMT.
root@admin[~]#ln -sf /usr/share/zoneinfo/GMT /etc/localtime
linux - Does NTP daemon set the host timezone? - Server Fault
NTP does not handle time zones. All time data handled by NTP is in UTC; your local time zone setting determines the offset from there.How time zones are handled with NTP?
NTP does not regconize time zones, instead it manages all time informations based on UTC. In general the handling of time zones is a job of a computer's operating system. Under Windows, Linux and FreeBSD the system clock is based on UTC, the configured local time zone only is applied when a time information has to be displayed somewhere. Example: If you configure Windows to use your local time zone, the system clock continues with using UTC time. Only when the date/time is shown (e.g. in a clock application), it will be transformed from UTC into the locally configured timezone.
Install | ownCloud.org
Manual Installation — ownCloud Administrators Manual 7.0 documentation
How QoS is managed in LTE system | beyond3g
Quality of Service Overview - Technical Documentation - Support - Juniper Networks
- On the radio interface
- Radio bearer control
- Admission control
- Congestion control
- On the transport (backhaul)
- Mapping DSCP with P-bit in VLAN
Quality of Service (QoS) and Policy Management in Mobile Data Networks
3GPP TR 29.839: Home (e)Node B - security gateway interface (Release 11)
QCI | 4G University5.2 H(e)NB procedures5.2.1 GeneralThe H(e)NB shall support DSCP marking on the IPsec header when forwarding the UE uplink traffic.Based on H(e)NB configuration either the QCI mapping or the Reflective QoS may be used.5.2.2 QCI mappingThe QCI mapping table contains a one-to-one mapping from QCI value to DSCP marking value. The QCI mappingtable is configured in the H(e)NB by the operator.
Do we have DSCP marking on the outer IP header (the one above GTP) and how do they look? What specification relate to this topic?how QCI map to the DSCP ??? And DSCP mapping table will be made in router ?? | LinkedIn
Specifications that relate to the S1 interface (also touching the QoS aspects) are TS 36.410, TS 36.411, TS 36.412, TS 36.413 and TS 36.414.
The technical specification TS 36.414 section 5.4 Diffserv code point marking says:
“IP Differentiated Services code point marking  shall be supported. The mapping between traffic categories and Diffserv code points shall be configurable by O&M based on QoS Class Identifier (QCI) Characteristics and others E-UTRAN traffic parameters. Traffic categories are implementation-specific and may be determined from the application parameters”
which means, that there is DSCP marking, but it is defined by a specific implementation.
The SGW, PGW, and eNB all contain QCI to DSCP markings. During bearer setup, the QCI values are communicated from the HSS/PCRF to the PGW, SGW, & eNB. The adjacent routers need only to enforce the DSCP markings set by the EPC elements.
QCI-to-DSCP mapping cannot be fixed by 3GPP standard as it depends on transmission network design. Transmission equipments must prioritze the IP packets according to the service they are carrying, so the mapping must be configured according to TX network.
QCI DSCP Example 3GPP service
1 EF conversational voice
2 EF conversational video
3 EF real-time gaming
4 AF41 buffered streaming
5 AF31 IMS signaling
6 AF31 buffered streaming
7 AF21 interactive gaming
8 AF11 web access
9 BE e-mail
DSCP is field in IP header, QCI is end to end parameter mapped in each part of the network in different parameters or group of parameters (in radio interface, transmission network..). DSCP value mapping to QCI is mapping for prioritizing bearers in transmission network and can be (and will be) done on P-GW, S-GW and eNB: Mapping which you configure on eNB will take place in up-link: when eNodeB has to transmit IP packet which carries GTP packet corresponding to bearer with
CQIQCI 7, eNB will add DSCP value which (according to what you have configured on eNB) corresponds to QCI7 in IP header of that IP package. Important is to emphasize that eNB itself, when receive down-link package, does not care for received DSCP in IP header (placed by S-GW), eNB does not compare recieved DSCP with configured DSCP on eNB for that QCI - moreover, those 2 DSCP values (for UL and DL) can be different, depending of transmission network. What you configure on S-GW for S1 will take place on S1 down-link in the same way as described for eNB... And analogically for other cases...
QoS and IPSec interactions | CCIE, the beginning!
Enterprise QoS Solution Reference Network Design Guide - IPSec VPN QoS Design [Design Zone for IPv6] - Cisco
Feature #166: DSCP config in StrongSwan
strongSwan does not provide DSCP specific functionality but the DSCP example in our test suite might give you an idea how to configure it using iptables and XFRM marks.Test ikev2/net2net-psk-dscp
[strongSwan] DSCP support in new version of strongswan
Check left|right subnet and proto settings.
check ike=XXX and esp=XXX
libopenikev2: openikev2::Payload_NOTIFY Class Reference
UNSUPPORTED_CRITICAL_PAYLOAD Unsupported critical payload. INVALID_IKE_SPI Invalid IKE SPI. INVALID_MAJOR_VERSION Invalid Major Version. INVALID_SYNTAX Invalid syntax. INVALID_MESSAGE_ID Invalid message ID. INVALID_SPI Invalid SPI. NO_PROPOSAL_CHOSEN No proposal chosen. INVALID_KE_PAYLOAD Invalid KE payload. AUTHENTICATION_FAILED Authentication failed. SINGLE_PAIR_REQUIRED Single pair required. NO_ADDITIONAL_SAS No additional SAs. INTERNAL_ADDRESS_FAILURE Internal address failure. FAILED_CP_REQUIRED Failed Configuration Payload required. TS_UNACCEPTABLE Traffic selector unacceptable. INVALID_SELECTORS Invalid selectors. INITIAL_CONTACT Initial contact. SET_WINDOW_SIZE Set window size. ADDITIONAL_TS_POSSIBLE Additional Traffic selector possible. IPCOMP_SUPPORTED IPcomp supported. NAT_DETECTION_SOURCE_IP NAT detection source ip. NAT_DETECTION_DESTINATION_IP NAT detection destination ip. COOKIE Cookie. USE_TRANSPORT_MODE Use transport mode. HTTP_CERT_LOOKUP_SUPPORTED HTTP certificate lookup supported. REKEY_SA Rekey SA. ESP_TFC_PADDING_NOT_SUPPORTED ESP TFC padding not supported. NON_FIRST_FRAGMENT_ALSO Non first fragment also.
Stuff: GRE over IPSec tunnels between Cisco and Linux (openswan)
leftprotoport=47 #match the GRE traffic, this line is very important
rightprotoport=47 #match the GRE traffic
11 Network Domain Control Plane protectionFor X2 interface, we could:
The protection of IP based control plane signalling for EPS and E-UTRAN shall be done according to TS 33.210 .
NOTE1: In case control plane interfaces are trusted (e.g physically protected), there is no need to use protection according to TS 33.210.
In order to protect the S1 and X2 control plane, it is required to implement IPSec ESP according to RFC 4303 as specified by TS 33.210. For both S1-MME and X2-C, IKEv2 certificates based authentication according to TS 33.310 shall be implemented. For S1-MME and X2-C, tunnel mode IPSec is mandatory to implement on the eNB. On the core network side a SEG may be used to terminated the IPSec tunnel.
Transport mode IPSec is optional for implementation on the X2-C and S1-MME.
NOTE 2: Transport mode can be used for reducing the protocol overhead added by IPSec.
12 Backhaul link user plane protection
The protection of user plane data between the eNB and the UE by user specific security associations is covered by clause 5.1.3 and 5.1.4.
In order to protect the S1 and X2 user plane as required by clause 5.3.4, it is required to implement IPSec ESP according to RFC 4303 as profiled by TS 33.210, with confidentiality, integrity and replay protection.
On the X2-U and S1-U, transport mode IPSec is optional for implementation.
Tunnel mode IPSec is mandatory to implement on the eNB for X2-U and S1-U. On the core network side a SEG may be used to terminate the IPSec tunnel.
For both S1 and X2 user plane, IKEv2 with certificates based authentication shall be implemented. The certificates shall be implemented according to the profile described by TS 33.310. IKEv2 shall be implemented conforming to the IKEv2 profile described in TS 33.310.
NOTE 2: In case S1 and X2 user plane interfaces are trusted (e.g. physically protected), the use of IPSec/IKEv2 based protection is not needed.
- Setupt eNB-to-eNB IPSec transport link
- Send eNB-to-eBN traffic via SecGW
The following suggest method 2:
LTE transport network security
Radio-to-core protection in LTE