Missing sounds in Asterisk

Written late in the afternoon in English • Tags: , , ,

The latest odd fix for Asterisk after an upgrade (11.13.0~dfsg-1~bpo70+1):

cd /usr/share/asterisk/sounds && ln -s en_US_f_Allison en

I don’t know when this broke. I found out because calling voicemail would fail (due to a missing password prompt sound file).

No VRF-awareness for NAT with DHCP interfaces?

Written in the mid-afternoon in English • Tags: ,

I would like to forward SSH from my cable modem interface to an internal box in a different VRF, but this for some reason is only possible using static IP addresses. The global IP address in the NAT statement must be a static one to be able to also include a VRF reference.

This is what I would like to add:

ip nat source static tcp 10.0.0.11 22 interface Vlan6 22 vrf private extendable

However, neither “vrf” nor “extendable” is allowed after “interface” has been entered.

Yet, if Vlan6 has the IP address 192.0.2.123 from DHCP, I can add the following static NAT entry and it works as one would expect:

ip nat source static tcp 10.0.0.11 22 192.0.2.123 22 vrf private extendable

I don’t see why it wouldn’t be possible to add the VRF to an entry that uses an interface reference for the global IP address. (more…)

L2TP over IPsec on Cisco IOS

Written in the mid-afternoon in English • Tags: , , , , ,

I wanted to use the OS X VPN client to connect to my home network while on the road. I guess using an OS X server would be the easiest way to get a Mac-compatible VPN server up and running. Using a Cisco running IOS required quite a few lines of configuration.

The OS X VPN client provides terrible feedback. It will happily tell you that there was “no response from the VPN server” when in reality the server responds with a rejection of all the ISAKMP or IPsec transforms proposed by the client. Fortunately both the Cisco debugging messages and verbose output from tcpdump were quite helpful.

In about 3 hours I got it all working, including routing with other VRFs and DMVPN sites. (more…)

»
I was blaming the hotel Wi-Fi for FaceTime getting stuck on “Connecting” and never completing calls. Now I’m guessing FaceTime just doesn’t handle changing phone numbers gracefully. It is the only “change” I can think of that has happened recently. Curiously I’ve only had trouble on iOS. Turning FaceTime off and back on (in Settings > FaceTime) fixed it for me.
»
Helpota ikkunanpesua: pese enimmät liat ensin pois talouspaperilla. (jatkuu…)
»
Nginx version 1.6.2 is now available in pkgsrc as www/nginx. Addresses an SSL session reuse vulnerability (CVE-2014-3616). Enjoy!

SHA-256 SSL certificates

Written late in the morning in English • Tags: , , ,

The technical details of an SSL certificate are up to the issuing CA, which is understandable. I was still surprised when my SHA-256 CSR resulted in a SHA-1 certificate back in April, when reissuing it due to heartbleed. But I didn’t pursue it at the time.

Now that Google announced sunsetting SHA-1-signed certificates by the end of the year, the issue became more pressing. Fortunately instructions for reissuing GeoTrust-based certificates — such as the RapidSSLonline ones — were already available. (more…)

»
Net::INET6Glue version 0.6.2 is now available in pkgsrc as net/p5-Net-INET6Glue. Patched to avoid warnings with the default Perl version 5.20. Enjoy!
»
WordPress 4.0 “Benny” is out!
»
Moving a photo library to a new computer is easy with Picasa. It even does the right thing with the folder naming in Windows 7 vs. Vista (“Pictures” vs. “My Pictures”).