Using the Git Stash command

The git stash command is used to store changes to a dirty git tree when pulling changes[ref]http://man.github.com/git/git-stash.html[/ref].

For example, if you are working on a repository, but are not ready to commit your changes, you may run.

git stash

This will store the changes you have made since the last revision and allow you to start back fresh at the point of your last commit.

Once you are done, you may run

git stash pip

That will restore your repository back to where you were when you ran git stash.

Custom 404 errors pages in Nginx

Here’s a quick how-to on creating a custom 404 error page on a Nginx server.

To display a single page for a site, add the below to your server’s config. The below config assumes /404.html is in the root of the current site.

server {
    ...
    error_page 404 /404.html;
    ...
}

The error page it self doesn’t have to be anything special, just a clear message for the user to know that this page dose not exist.

Setting up a VPN Tunnel between Two Linksys RV042

This article is one in a series to assist in the setup, troubleshooting, and maintenance of Cisco Small Business products (formerly Linksys Business Series).

  • Q. How do I set-up a VPN Tunnel on Two Linksys Routers?
  • A. A Virtual Private Network (VPN) is a connection between two endpoints – VPN Routers, for instance – in different networks that allows private data to be sent securely over a shared or public network, such as the Internet. A private network, that sends data securely between these two locations or networks, is established by creating a tunnel. A VPN tunnel connects two PCs or networks and allows data to be transmitted over the Internet as if the endpoints were within a network. Not a literal tunnel, it is a connection secured by encrypting the data sent between the two networks.

This article explains the four steps required to set up a VPN tunnel using two Linksys routers and also contains a VPN overview. Select a link below to go directly to a section:

  • VPN Overview
  • Verify the VPN Settings on Both Routers
  • Configure VPN Tunnel Settings on Router A
  • Configure VPN Tunnel Settings on Router B

VPN Overview

The IPSec protocol suite itself is designed to support multiple modes of operation for securing communications over an Internet Protocol network. A VPN tunnel between two routers interconnected via the Internet is just one of the supported modes. A VPN tunnel of this type provides the following services to the network:

  • Privacy – Encryption of the traffic (both the Protocol Headers and the Payload) such that it can not be read by entities other than those for which it is intended.
  • Integrity – Validation that the traffic is not modified along the transport path between the tunneling devices.
  • Authentication – Ensuring that the end point devices (the routers) are the correct trusted sources.
  • Anti-replay – Ensuring that the sessions are secure from replay attacks by intermediary devices.

These services are enabled by the administrator at initial configuration time by specific parameter selections from among the available cryptographic protocols which ensure secure packet flows and mutual device authentication. The means by which IPSec creates a secure tunnel is by the creation of a Security Association (SA) between the two devices being configured. The SA is nominally the list of selections that define the parameters for Encryption and Authentication that the administrator has chosen for this particular tunnel configuration.

The SA defines the encryption algorithms and cryptographic keys which are used to encode and decode the traffic and which capabilities of Internet Key Exchange (IKE – the protocol used to setup the SA) are used to manage those keys. As there are many options, both sides of the communication must agree on the parameters used to setup the SA (meaning that both routers must have the same configuration parameters selected). IKE happens in 2 phases. In phase 1 a secure, authenticated communication channel (called an IKE SA) between the two devices is created such that the key exchange required to setup IPSec (and the IPSec SA) can be executed in Phase 2.

Parameters to be selected include:

  • Keying Mode – Whether the actual encryption keys are to be entered manually by administrator (Manual) or automatically defined {and periodically changed} by the devices, but the administrator will enter a pre-shared “initialization” key which must be entered on both devices (IKE with Pre-Shared Key). IKE with Preshared Key is more secure and is recommended if supported by both end devices (both routers).
  • Phase 1 (or 2) DH Group – What key exchange protocol Group and corresponding key length are to be used in each Phase:
    o Group 1 (768 bits)
    o Group 2 (1024 bits)
    o Group 5 (1536 bits).

    Shorter lengths should be faster, but longer lengths are more secure. Select a Group according to your administrative preference.

  • Phase 1 (or 2) Encryption – Which of the available standard encryption methods are to be used in each Phase. Typical options include:
    o Data Encryption Standard (DES) – 56 bit keys, proven to be susceptible to brute force attacks and was replaced by 3DES
    o Triple Data Encryption Standard (3DES) -192 bits, subsequently replaced by AES
    o Advanced Encryption Standard (AES)

    In general, AES is generally faster in software and should be selected if available. Otherwise 3DES is recommended (if supported by both devices).

  • Phase 1 (or 2) Authentication – Which Authentication method is going to be used to ensure that the traffic has not been altered. Typically available options include:
    o Message Digest 5 (MD5)
    o Security Hash Algorithm (SHA)

    SHA is more secure and should be used if available.

  • Phase 1 (or 2) SA Life Time – The length of time (seconds) that the SA can remain active in each phase. The default is 28,800 seconds (eight hours).
  • Perfect Forward Secrecy – PFS nominally means that encryption keys are single use, such that if one key is broken that key can not be used to break subsequence or previous keys in the stream.
  • Preshared Key – The character-based or hexadecimal-based value which is defined by the administrator and which is used as the pre-shared initialization key for IKE.

Note: This type of tunnel configuration between two network devices (routers) creates a Routed IP subnetwork, meaning that the packets that cross the tunnel between the sites must be IP routed (at layer-3, not bridged at layer-2) across the network.

Fundamentally, this means that it is required that:

  • Each site must have its own unique IP subnetwork address on its LAN interface(s) (i.e. 192.168.1.x for site 1, 192.168.2.x for site 2, …). Specifically the same subnetwork address (such as 192.168.1.x) may NOT be used in more than one site.
  • Each device must be configured not only with its local LAN subnetwork address, but also with knowledge of the LAN addressing used in the remote site.
  • Each device must be configured with information that allows the device to determine the WAN IP address of the remote site:
    • WAN IP addresses may be manually determined by the administrator when setting up the remote site by noting the WAN address that is either statically configured by the administrator (the address is actually assigned by the ITSP) or dynamically learned by the device from the ITSP’s DHCP service.
      Note: In this scenario, if the remote device’s IP address changes (for example a reboot and new DHCP assignment) then the IPSec configuration on the local device will no longer work (as the remote device’s address has been changed and is currently unknown).
    • Alternatively, WAN IP addresses for remote devices may be dynamically determined by having the remote device report any update to its configured WAN IP address by use of Dynamic-DNS. By enabling D-DNS on a device, when it learns its WAN IP address (either manually configured or DHCP assigned) it causes the Internet’s DNS system to be updated with its new IP address. D-DNS enables a Domain Name to IP address mapping so that any device (such as the local router) may determine the current IP address for a remote device by doing a DNS query based upon the Name of the remote device (for example ‘www.abc.com’). Therefore, the remote device must be enabled for D-DNS and the local device must be configured to resolve the WAN IP address for the remote device by use of the DNS system.

Verify Internet Connection

Before connecting to a VPN tunnel, be sure you have an active Internet connection allowing the two routers to communicate. When you’ve verified your Internet connection, follow the instructions below to verify the VPN settings on the routers.

Verify the VPN Settings on Both Routers

Successfully configuring a VPN tunnel requires specific settings. Here’s how.

Step 1:
Access the router’s web-based setup page. For instructions, click here.

Step 2:
Select the System Summary tab and review the Network Setting Status.

On Router A Network Setting Status:

  • WAN1 IP address is Router B’s Remote Security Gateway IP
  • LAN IP address is Router A’s Local Security Group
  • LAN IP address is also Router B’s Remote Security Group IP


On Router B Network Setting Status:

  • WAN1 IP address is Router A’s Remote Security Gateway IP
  • LAN IP address is Router B’s Local Security Group
  • LAN IP address is also Router A’s Remote Security Group IP

Step 3:
Make sure the Local IP Addresses of the two routers are different. Remember the Local IP Address of Router A will be Router B’s Remote Security Group.

In this example, we will use the following

Step 4:
After verifying the VPN settings on both routers, configure the VPN Tunnel settings on Router A.

Configure VPN Tunnel Settings on Router A

Step 1:
Access the router’s web-based setup page. For instructions, click here.

Step 2:
When the router’s web-based setup page appears, select the VPN tab, and then select the Gateway to Gateway sub tab.

Step3:
In the Tunnel Name field, enter a name for this tunnel. (In this example “TestTunnel ” was used.)

Step 4:
In the Local Group Setup section:

  • Select a Local Security Group Type (Subnet, IP Addr, or IP Range) from the drop down menu.
  • In the IP address field, enter the Local IP address of your router. (In this example 192.168.1.0 was used.)
  • In the Subnet Mask field, enter the Subnet Mask of your router.(In this example 255.255.255.0 was used.)
  • Local Security Gateway IP address will be generated automatically. (In this example, it is 22.15.160.53.)

Step 5:
In the Remote Group Setup section:

  • Select a Remote Security Group Type (Subnet, IP Addr, or IP Range) from the drop down menu.
  • Enter the appropriate values of the remote router In the IP Address and Subnet Mask fields. (In this example, we selected Subnet, and entered 192.168.2.0 for the IP address and 255.255.255.0 for the Subnet Mask.)
  • Select a Remote Security Gateway Type (IP Addr, FQDN, or Any) from the drop down menu.
  • Enter the WAN/Internet IP address of the remote router in the Remote Group Setup IP Address field. (In this example 10.100.16.60 was used.)

Step 6:
In the IPSec Setup section:

  • Select IKE with PreShared key from the Keying Mode drop down menu.
  • Select the encryption level you wish to enable from the Phase1 Encryption and Phase2 Encryption drop down menus. (In this example we used DES.)
  • Select the authentication mode you wish to enable from the Phase1 Authentication and Phase2 Authentication drop down menus. (In this example we used MD5.)
  • Check the box next to Perfect Forward Secrecy (PFS) to enable. This will ensure that the initial key exchange and IKE proposals are secured.
  • Enter the key you want to enable in the Preshared Key field. (In this example “MyKey” was used.)
  • Enter the key expiration period in the Phase1 SA Life Time and Phase2 SA Life Time fields. (In this example “28800” was used for Phase1, “3600” was used for Phase2.)

Note: The following fields must be the same on both routers:

  • Phase1 Encryption
  • Phase2 Encryption
  • Phase1 Authentication
  • Phase2 Authentication
  • Preshared Key
  • Phase1 SA Life Time
  • Phase2 SA Life Time

Step 7:
Select Save Settings and then configure the settings on Router B.

Configure VPN Tunnel Settings on Router B

Step 1:
Access the router’s web-based setup page. For instructions, click here.

Step 2:
When the router’s web-based setup page appears, select the VPN tab, and then select the Gateway to Gateway sub tab.

Step3:
In the Tunnel Name field, enter a name for this tunnel. (In this example “TestTunnel ” was used.)

Step 4:
In the Local Group Setup section:

  • Select a Local Security Group Type (Subnet, IP Addr, or IP Range) from the drop down menu.
  • In the IP address field, enter the Local IP address of your router. (In this example 192.168.2.0 was used.)
  • In the Subnet Mask field, enter the Subnet Mask of your router. (In this example 255.255.255.0 was used.)
  • Local Security Gateway IP address will be generated automatically. (In this example, it is 10.100.16.60.)

Step 5:
In the Remote Group Setup section:

  • Select a Remote Security Group Type (Subnet, IP Addr, or IP Range) from the drop down menu.
  • Enter the appropriate values of the remote router In the IP Address and Subnet Mask fields. (In this example, we selected Subnet, and entered 192.168.1.0 for the IP address and 255.255.255.0 for the Subnet Mask.)
  • Select a Remote Security Gateway Type (IP Addr, FQDN, or Any) from the drop down menu.
  • Enter the WAN/Internet IP address of the remote router in the Remote Group Setup IP Address field. (In this example 22.15.160.53 was used.)

Step 6:
In the IPSec Setup section:

  • Select IKE with PreShared key from the Keying Mode drop down menu.
  • Select the encryption level you wish to enable from the Phase1 Encryption and Phase2 Encryption drop down menus. (In this example we used DES.)
  • Select the authentication mode you wish to enable from the Phase1 Authentication and Phase2 Authentication drop down menus. (In this example we used MD5.)
  • Check the box next to Perfect Forward Secrecy (PFS) to enable. This will ensure that the initial key exchange and IKE proposals are secured.
  • Enter the key you want to enable in the Preshared Key field. (In this example “MyKey” was used.)
  • Enter the key expiration period in the Phase1 SA Life Time and Phase2 SA Life Time fiel ds. (In this example “28800” was used for Phase1, “3600” was used for Phase2.)

Note: The following fields must be the same on both routers:

  • Phase1 Encryption
  • Phase2 Encryption
  • Phase1 Authentication
  • Phase2 Authentication
  • Preshared Key
  • Phase1 SA Life Time
  • Phase2 SA Life Time

Step 7:
Select Save Settings.

Step 8
Select the Summary sub tab under the VPN tab and then select the Connect button to establish the tunnel.