CIsco 1131: VLans + MultiSSID

For a subject support you need to add to config next lines:

dot11 ssid guests
   vlan 254
   authentication open
   authentication key-management wpa version 2
   mbssid guests-mode dtim-period 75
   wpa-psk ascii *************

interface Dot11Radio0
   encryption vlan 254 mode ciphers aes-ccm
   ssid guests
   mbssid
interface Dot11Radio0.254
   encapsulation dot1Q 254
   bridge-group 254
interface FastEthernet0.254
  encapsulation dot1Q 254
  no ip route-cache
  bridge-group 254
  no bridge-group 254 source-learning
  bridge-group 1 spanning-disabled

P.S.: If you're getting errors like "Sending station has left the BSS" try to use only wpa2 + aes or wpa + tkip.

openssh + Cisco

After update OpenSSH cannot connect to Cisco routers (1841, 3550). After some searching on the Web I found a similar bug #1026430 in on Red Hat Bugzilla.Solution was to add KexAlgorithms=diffie-hellman-group1-sha1 option to ssh command while connecting to routeres.
Another method is to create ~/.ssh/config with a couple of lines:

Host bigrouter
        HostName        192.168.0.1
        KexAlgorithms   diffie-hellman-group1-sha1

Linux-to-cisco: IPIP

Cisco global IP - xxx.xxx.xxx.xxx
Cisco ipinip IP - 10.1.252.5/30
Linux global IP - yyy.yyy.yyy.yyy
Linux ipinip IP - 10.1.252.6/30

IPIP

host

sudo ip tunnel add tun0 mode ipip remote xxx.xxx.xxx.xxx local yyy.yyy.yyy.yyy
sudo ip addr add 10.1.252.6/30 dev tun0
sudo ip link set up dev tun0

router

interface Tunnel173
 ip address 10.1.252.5 255.255.255.252
 tunnel source xxx.xxx.xxx.xxx
 tunnel destination yyy.yyy.yyy.yyy
 tunnel mode ipip
 keepalive 15
exit

IPSec

host

/etc/racoon/racoon.conf:

log debug;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
        adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
}
remote xxx.xxx.xxx.xxx {
        exchange_mode main;
        initial_contact on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address yyy.yyy.yyy.yyy/32 4 address xxx.xxx.xxx.xxx/32 4 {
        lifetime time 1800 seconds;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        pfs_group 2;
}

/etc/ipsec-tools.conf:

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd yyy.yyy.yyy.yyy/32 xxx.xxx.xxx.xxx/32 ipencap -P out ipsec
        esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy/32 ipencap -P in ipsec
        esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;

router

crypto isakmp key keymaster address yyy.yyy.yyy.yyy
crypto map VPN-CM 173 ipsec-isakmp
 set peer yyy.yyy.yyy.yyy
 set transform-set VPN
 set pfs group2
 match address IPSEC-173
exit
ip access-list extended IPSEC-173
 permit ipinip host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
end