Thursday, November 20, 2014

Raspberry Pi panics on boot with no HDMI

One of the Pis started playing up and it's got some odd symptoms.

Initially it would boot and and then reboot just after the login prompt appeared.  I think that was a process not seeing the hardware it expected and trying to recover but diagnosing this I hooked it up to the monitor to see what was going on.

The odd thing that is since then it won't restart without a monitor attached.  If there is no monitor it kernel panics and says it can't it can't mount the root file system.  I tried hooking up a cable with nothing on the end but that fails as well so it needs to get the information from a monitor to start.

the /boot/cmdline.txt file is

dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p6 rootfstype=ext4 elevator=deadline root-wait

I think the problem is root-wait.  This might have got auto corrected when I loaded the file onto the Mac to add init=/bin/sh to do some trouble shooting. It looks like it should be root-wait no hyphen.

Looks to be sorted now.  So be careful editing that file on machines that want to auto correct things.

Wednesday, November 12, 2014

IPSEC VPN Fortigate to ISA 2006

We had to set one of these up today and it was a bit odd.

The easiest way is to say what settings worked :-)

Stick with SHA and 3DES.  Group2 for DH, supposedly 14 will work but it didn't for us.

Use proxies, this was our final stumbling block.  ISA wanted proxies in phase 2 or came up with INVALID-ID-INFORMATION in the Fortigate debugs.

Otherwise it's defaults for times, DPD etc.

Edit later:

ISA summarises multiple networks rather than creating a second phase 2. dumb..

ie we had at the remote site and at the head office end.  They want to add so debugging (you can't set this or see it in ISA by the looks of it) the HO end proxy goes from to So what happens when you add a second network to the remote office end?

Sunday, August 24, 2014

My first raspberry Pi and dabble into crypto currency ASICs

This will be a combination of a few things.

I bought my first Pi to play with.  It now does mail for our home domain, DNS and a nice gui for the dabble into crypto currency.

I bought a nice combo that had a B+ board, power supply, case, heatsinks and on top of that a wireless dongle as I want it to run in the garage which has no cabling.

Unpacked it and put it in it's case and put the heatsinks on.  Easy.  Plugged into the TV and booted NOOBs.  Told it to install raspian and it was away. All nice and easy.

Raspian boots up with LXDE but you can, in theory, install just about anything.  Set up the wifi network and a few test reboots all looked good. I played with overclocking but it just made it less stable. We'll revisit that one.

Things to do on a new RPi I now know: firmware update (sudo rpi-update) and full dist upgrade(sudo apt-get dist-upgrade) of raspian. Both seemed to help stability as I had some USB issues to start with. Go through the raspi-config settings carefully and go to advanced update rapi-config before anything else. I've dropped the GPU memory to 16MB as it'll barely ever use the display. I had to turn off overscan as well to see the whole desktop.  Seems odd that's on by default.

I have a mail server running postfix, dovecot and roundcube.  All these just installed on the RPi and worked.  Copied the config files from the old server and merged them.  Copy certs from the old server to RPi.

The next step was to test a Gridseed (scrypt hasher) and it picked it up fine.  Install a system named minera ( which can be a full SD image or install on a running system.

The surprising thing is the RPi just keeps taking this. It seems to have more than enough grunt to handle all this.  It didn't do so well when I tried a minecraft server as well.  Might need another one for that :-)

So it sits in the garage with 6 gridseeds hashing away (it'll never make money but it's fun) and doing DNS for the home network and our mail server all over a wireless link.  Seems plenty stable.  I like it a lot! The idea was to stop leaving a full computer on 24/7 when something tiny and way less power hungry will do the job. So that's my bit to saving the environment :-)

My list of gripes are small and not really RPi related. The Gridseeds won't do SHA256d on the Pi, I have to go to a special windows build to do that but looking at it the gridseeds should be restricted to scrypt.  They use 6 to 8 watts (4 apparently if you chop the fan) each and hash about as much as a reasonable graphics card (360 to 390 kH/s currently similar to R9 270). If you so SHA256d they use 5 or 10 times as much power.

Thursday, April 17, 2014

Gentoo Linux and 802.11ac

I have an Intel 7260ac PCI card that never seem to go all that fast under Linux.

The NetworkManager widget said it was on channel 149 and doing about 130Mb but in Windows it gets 650 to 780 Mb in ac mode.

Turns out the NM widget was lying it was on 2.4 (so not channel 149) and was capped about 130Mb. I tried forcing it to 5GHz but it just roamed back to 2.4.

Hmm.. found a simple solution block the MAC on the 2.4GHz radio. Now it connects at the same speed as Windows on 5GHz.  Simple really and not an issue if you have separate SSIDs.

Saturday, January 25, 2014

30 second guide to setting up an interface mode VPN on Cisco IOS

This is like one of those recipe book type 1 page cheat sheets. This relies on you knowing IOS well enough to just need a jog.

So to set up an interface mode (Virtual tunnel interface in Cisco speak) vpn you need these commands:

crypto isakmp policy
crypto isakmp key
crypto ipsec transform set
crypto ipsec profile

policy-map maybe
class class-default
shape average 128000

int tun
ip address maybe or ip unnumbered vlan1 to tie to vlan1
tun source outsideIP
tun destin otherend
tunnel mode ipsec ipv4
tunnel protection ipsec profile
service-policy maybe?

ip route tun0 perm?
or use Ip and dynamic routing rip v2?

If you're switching from proxy style VPN then remove the crypto map unless you still have dynamic client vpns and remove the IPSec policy for the connection.

The tunnel ones are just so much nicer.  No NAT hassles, easy policy QoS etc. 

Also help diag commands:

sh crypto session detail 

Thursday, January 16, 2014

Certificates on Windows, AD CA etc

This relates mainly to older servers since CAs now require 2048 bit keys and I kept running into a default of 1024 I couldn't change.

This is ripped from another blog (thanks


cretate a file called c:\cert.inf with the following content:

Subject = ", O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Now run the following:

certreq -new cert.inf outfile.req

Now just cut and paste the contents of outfile.req into the geotrust QuickSSL Premium Enrollment page and away you go.


But that only goes half way.

To complete things for me loading a certificate into IIS I had to change the cert.inf file..

Subject = ", O=MyCompany, OU=IT, L=London, S=SE1, C=GB"
KeyLength = 2048

Exportable = TRUE

The certificate is created under the current user and you need to export it and import to the machine account to access it in IIS.

Import the cert from the provider into your current user. Now you should be able to export it with it's private key and import it into the local machine account where IIS etc can see it.