Brian Tobin’s Website

икона за подарък????????It has been widely reported that Kodak is going to exit the camera, camcorder and digital frame business.  I’ve long ago moved to my Nikon DSLR and have not used a Kodak brand camera for a number of year.  I didn’t think much of Kodak’s demise because it was just another example of a thriving company unable to adapt to the changing world of technology.  (See also RIM, Newspapers and the recording industry)

It wasn’t until I was brushing my teeth the other day that I was reminding of that quality product Kodak made, especially in the digital world.  I was once the proud owner of a Kodak DC290 digital camera.  This thing was a hulk and at 2.1 megapixels, my camera phone has a higher resolution.  But, that didn’t stop it from taking some damn good pictures.  It is a shame such a grand company is going down in flames in such a spectacular way.  I was never much of a film photographer.  I owned my share of the cameras, but my skills could never justify the cost of developing and I quickly lost interest.  With digital, the devices were able to make my mediocre shots looks great and throwing away the hundreds of junk shots for the nice ones was cheap and easy.  The Kodak DC290 did an excellent job of this.

Why was I reminded of this while brushing my teeth?  Because two of my favorite pictures ever taken, shown below, were taken with the DC290.  They currently hang in my bathroom and I get to look at them everyday.  I took then while on a trip to San Francisco, driving north on the Pacific Coast Highway.  I stopped to stretch my legs on the side of the road and this is the beauty that awaited me.

It is likely that Kodak will become a bankrupt patent holding company, suing other companies that were able to survive and prosper in this digital age, into oblivion.  I’ll still browse through my old shots taken with my DC290 and remember with fondness the pictures it took.

????? ??????I setup quite a few IPSEC site-to-site VPNs.  Hundreds maybe.  Most go fine.  10 minutes on the line, bing, bam boom, we have a working IPSEC tunnel.

My company uses Cisco router/ASRs for our termination points for IPSEC VPNs.  We also have Checkpoint firewalls doing the filtering.  Why the separation?  Because we love a good headache.

My biggest headache comes from when a third party is using a Checkpoint firewall as the VPN termination point and I am using my Cisco router.  Checkpoint firewalls, often by default, will super-net the encryption domain.  So, I might be using a /32 host ACL on my Cisco, the Checkpoint is sending a /24 or larger ACL.  This does not play well in Cisco land and Phase 2 usually fails.

The hard part with this is figuring out this is happening, because it’s not obvious.  What I have found is turning on a single debug command makes all the difference in the world.

debug crypto ipsec

This shows all kinds of nasty IPSEC messages when a tunnel is negotiating.  You try finding the error on a box that has 75 tunnels terminating on it.  It is not easy! But, as the debug messages are scrolling by, one little entry can give you all the help you need:

Feb 1 17:20:39: Crypto mapdb : proxy_match
src addr : 142.184.211.75
dst addr : 121.98.112.0/25
protocol : 0
src port : 0
dst port : 0

On this particular tunnel (IPs changed to protect the innocent) the third party was supposed to be NATing behind a /32 address on the 121.98.112.0 network.  But, his Checkpoint box was super-netting behind the /25 network.  Bad Checkpoint.

I was able to pick it up from that debug message and let him know to change his config.  Five minutes later, IPSEC tunnel was up, Phase 1 and Phase 2 setup and communication was clean.

БогородицаThe alternator died on the Boxster so I decided to tackle this project myself.  I have never done a major repair to any of my cars, but figured I’d give the alternator replacement a try.  All of the articles on the internet and in my tech manual made it look pretty easy, so what the hell?

I decided to document the project via a video, so here it is:

Here are the links to the references:
http://bit.ly/oUWGHp
http://amzn.to/nfNmtg

иконографияикониMy hosting provider, Razor Servers, recently moved hosted centers from the 401 North Broad St location in Philadelphia to a building right next door.  As part of my VM move to the new location, I was no longer able to SSH into the device.  I got this strange error about PTY allocation request failed.  In addition, the SPAMD process was not running on the box.  I tried to re-install SpamAssassin, I tried to re-install Exim and I even tried a complete upgrade of cPanel.  No go.  I thought the two might be related so a Googling I went…

After a good long while of Googling the problem, I found this site with my exact error message.  Via the web console, I checked to see if /dev/ptmx existed, it didn’t.  I ran the command as noted on the page:

sbin/MAKEDEV -d /dev ptmx

Restarted the ssh daemon:

service sshd restart

And, presto, I was able to SSH back into my box.  No idea why that file would disappear after a VM move, but it is all fixed now.

There is an annoying aspect of configuring a Checkpoint UTM appliance, you are forced to enter the web based GUI to do some basic config before using the command line interface (CLI) to complete the install.  If you try to use the CLI before using the GUI, you receive the following message:

Welcome to VPN-1 UTM Appliance

You can not use the ‘sysconfig’ and ‘cpconfig’ utilities until you successfully complete the First Time Wizard in the Administration web GUI.

Press Enter to continue…

If you run the following command, this message is not displayed and you can use the CLI for the full config:

touch /opt/spwm/conf/wizard_accepted