XEN и W2K3

Возникла нужда сделать виртуальную машинку с виндой... Дабы не плодить сущностей, решили сделать её под XENом.

Создаём конфиг:

root@node0001:/home# ee /etc/xen/1win2k3.cfg
kernel = "/usr/lib/xen/boot/hvmloader"
builder='hvm'
memory = 128
name = "test-win01"
vcpus=1
pae=0
acpi=0
apic=0
vif = [ 'bridge=xenbr0', 'mac=00:16:3E:a8:73:d2' ]
disk = [ 'tap:aio:/home/xen/node001-win2k3-disk.img,xvda,w', 'phy:/dev/loop0,xvdb:cdrom,r' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
device_model = '/usr/lib/xen/bin/qemu-dm'
boot='d'
sdl=0
vnc=1
vncconsole=0
stdvga=0
serial='pty'


Монтируем образ установочного диска:

root@node0001:/etc/xen# losetup /dev/loop0 /home/xen/w2k3r.iso
root@node0001:/etc/xen# losetup -a
/dev/loop0: [0801]:245781 (/home/xen/w2k3r.iso)


Создаём образ диска для Вирт.машины:

root@node0001:/etc/xen# dd if=/dev/zero of=/home/xen/node001-win2k3-disk.img bs=1M count=4096
4096+0 records in
4096+0 records out
4294967296 bytes (4.3 GB) copied, 63.3392 s, 67.8 MB/s


Запускаем:

root@node0001:/etc/xen# xm create /etc/xen/1win2k3.cfg
Using config file "/etc/xen/1win2k3.cfg".
Started domain node001-win2k3


Проверяем на каком порту слушает VNC (встроенный в xen):

root@node0001:/etc/xen# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 20071/qemu-dm


Соединяемся по VNC к dom0 на соотв. порт и "наслаждаемся" установкой Windows ;)

P.S. В /etc/xen/xend-config.sxp надо поменять
(vnc-listen '127.0.0.1') на (vnc-listen '0.0.0.0') , а то по VNC не пустит. Также ходят слухи о плохой производительность IO-операций в WIN под XEN, говорят лечится установкой паравиртуальных драйверов. Подробнее тут:
http://xgu.ru/wiki/Xen/winpvdrivers

Cisco Easy VPN без cryptomap

Возникла необходимость организовать удалённый доступ в сеть конторы, через PPTP и CiscoVPN-Client.
Для чего развернули RADIUS-сервер на базе FreeRadius+Abills и настроили циску.
Конфиг:

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login user_auth group radius local
aaa authentication ppp default group radius
aaa authorization exec default local none
aaa authorization network default group radius local
aaa authorization network group_author local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa server radius dynamic-author
client 192.168.100.242 server-key TESTKEY
auth-type any
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name Cisco_VPN_PPTP_server
l2tp tunnel receive-window 1024
ip mtu adjust
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address *.*.*.26 no-xauth
crypto isakmp key ******** address *.*.*.137 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group mobile
key *******
dns 192.168.100.254 *.*.*.18
max-users 250
netmask 255.255.255.0
crypto isakmp profile mobile_users
match identity group mobile
client authentication list user_auth
isakmp authorization list group_author
client configuration address respond
client configuration group mobile
accounting default
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA0 esp-3des esp-sha-hmac
crypto ipsec transform-set T2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile P2
set transform-set T2
!
crypto ipsec profile mobile_users_ipsec
set transform-set ESP-3DES-SHA0
set isakmp-profile mobile_users
!
!
crypto map temp local-address Vlan60
crypto map temp client configuration address respond
crypto map temp 1 ipsec-isakmp
description to_Archangelsk
set peer *.*.*.137
set transform-set ESP-3DES-SHA0
match address 101
!
!
interface Loopback10
ip address 192.168.111.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.7.1 255.255.255.0
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source *.*.*.190
tunnel destination *.*.*.26
tunnel protection ipsec profile P2
!
interface GigabitEthernet0/0
description LAN
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.40
description Data_LAN
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.100.254
ip wccp web-cache redirect in
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.100
description Servers
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Virtual-Template1
ip unnumbered Loopback10
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
autodetect encapsulation ppp
no snmp trap link-status
no peer default ip address
compress mppc
ppp mtu adaptive
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.100.254 *.*.*.18
ppp ipcp wins 192.168.100.254
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly
load-interval 30
tunnel mode ipsec ipv4
tunnel protection ipsec profile mobile_users_ipsec
!
interface Vlan1
no ip address
!
interface Vlan50
description ISP2
ip address *.*.*.190 255.255.255.252
ip access-group From-INTERNET in
ip mtu 1490
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
!
interface Vlan60
description ISP1
ip address *.*.*.13 255.255.255.248
ip access-group From-INTERNET in
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
crypto map temp
!
!
ip local pool PPTP_VPN 192.168.111.100 192.168.111.254
!
ip radius source-interface GigabitEthernet0/0.100
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server configure-nas
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key *********
!


P.S. Есть небольшая проблема - POD на Cisco-VPN клиентах не работает... Х.З. почему... А в остальном всё замечательно.