ramblings of the village idiot

As many of you know, I’ve recently moved positions at work, and am now the primary systems administrator for an extremely smart group of people who are working on rolling out some new products.

Nifty technologies we’ve been working with:

• Hadoop
• Ruby on Rails
• Amazon EC2

Other cool technologies we’ve looked at, but are not using quite yet:

• AppLogic

If you are investigating Ruby on Rails, and don’t want to build a hosting infrastructure yourself, I can’t recommend the guys at Engine Yard highly enough. They certainly aren’t the least expensive provider out there, but their service just plain can’t be beat. And no, they aren’t paying me to say that. ;)

AT&T (ex-Cingular) has now turned 3g on in the Minneapolis/St. Paul area! What a pleasant surprise after getting the WM6 treatment yesterday. ;)

They’ve made me a happy customer.

Windows Mobile 6 is *finally* available for the (HTC-built) AT&T 8525! Yeehaw!

It’s available from here:
http://www.america.htc.com/support/8525/software-downloads.html

First impressions:

• It’s fast
• The GPS sharing feature works nicely
• Looks about the same. Menus are very similar.

Upgrade was easy [just back your stuff up!]; highly recommended so far!

Bandwidth.com had an outage last night, from around 4:10pm central to around 6:30 central. It affected all of their SIP trunks. Interesting! Apparently, it was attributed to a Level3 outage, but it doesn’t appear that other VoIP trunks with other L3 resellers went down. We’ll see…

This document describes how to get Openswan working with various other IPSec stacks, including Openswan and Windows 2000/XP. If you have any difficulties with this process, please e-mail the Openswan mailing list, or if you can’t get help from there, e-mail me at: ipsec@natecarlson.com. If you are using clients which benefit from receiving an IP address on the remote network (Windows, PocketPC, etc), you may want to consider L2TP over IPSec instead of the method described below. Jacco de Leeuw’s pages cover this in a good amount of detail; I also have a basic walkthrough available at my L2TP-over-IPsec page.

If you’re not sure if IPSec is right for you, I have written a quick document about some of the various types of VPN available under Linux. It is available at: http://www.natecarlson.com/linux/linux-vpn.php. I hope this helps clear up some questions.

IMPORTANT NOTE: On March 1, 2004, the FreeS/WAN maintainers announced that the FreeS/WAN project is ending, for many reasons. The Openswan project is going to be taking over development. Openswan is based on Super FreeS/WAN, and already includes most of the patches that people wanted. I’ve updated these directions to use examples for Openswan 2.1.2; they should still run as-is on FreeS/WAN 2.0 with the X.509 patches, and will work with FreeS/WAN 1.99+X.509 and Openswan 1 with some minor modifications. They should also work as-is with Strongswan. I no longer cover patching FreeS/WAN with X.509; if you are going to start with a base FreeS/WAN installation, you will need to follow the directions at http://www.strongsec.com/freeswan on how to patch it.

IMPORTANT NOTE #2: As of June 17 2004, this document has been updated to reflect Openswan configuration instead of FreeS/WAN. I’ve also reorganized a few things; hopefully it will flow better now. Please let me know if you run into any problems with the new configuration. If you need it, the old page is available at: http://www.natecarlson.com/linux/ipsec-x509-fs1.php.

NOTE #3: Not nearly as important as above, but just wanted to note that I do occasionally post notes about new VPN options and such on my blog; see the VPN category at: http://www.natecarlson.com/category/geek-stuff/vpn. Also, if you are interested in consulting services to help you set things up, I am available on a very limited basis – please see my consulting page.

Contents:
Setting up a Certificate Authority
Generating a Certificate
Installing Openswan
Installing the Certificate on your Gateway
Configuring Openswan on the Gateway Machine
Client Setup: Openswan
Client Setup: Windows 2000/XP with ipsec.exe
Some common errors, and resolutions for them
References used to write this document

[ad name=”Google Adsense 728×90″]

Setting up your Certificate Authority

For the sake of this document, I’m assuming you want to use X.509 certificates for authentication. It is possible to use RSA keys or pre-shared keys, but I find the X.509 method to be the most scalable and easiest to maintain for a decent-sized user base. I am also assuming that you will need your own Certificate Authority dedicated to VPN usage – if you already have access to a CA, you may just want to generate certificates from there (if that’s the case, you can just skim this section.) If you need more details that I am going into here, please read the OpenSSL documentation — it’s fairly detailed. For CA certificate management, my examples use the utilities included with OpenSSL itself – there are third-party tools out there that make this a bit simpler, but I want to keep dependencies low. Note that you do not necessarily need to use your Openswan gateway as the Certificate Authority – it can be any box with OpenSSL installed. In fact, it may be better to use a different box, so if an attacker gains access to your Openswan gateway they don’t have access to your CA, too. If you have any suggestions on how to make this process simpler, please let me know!

Now, on to the good stuff – let’s start setting up our own CA.

1) Find your openssl.cnf file. This file has default values for OpenSSL certificate generation. Here’s a few locations for various distributions:

Debian: /etc/ssl/openssl.cnf
RedHat 7.x+: /usr/share/ssl/openssl.cnf

Open this file in your favorite editor. We will need to change the following options:

‘default_days’: This is the length of time, in days, that your certificates will be valid for, and defaults to 365 days, or 1 year. I recommend setting this to ‘3650’, as that will give you 10 years of validity on your certificates. Since this is for internal use, I am ok with the security ramifications of having a certificate valid for a long time – if you lose it or whatnot, you can revoke it without a problem.

‘[ req_distinguished_name ]’ section: You don’t really *need* to change the options below req_distinguished_name; they just set the default options (such as location, company name, etc) for certificate generation. I find it’s easier to set them here than re-type them for every certificate.

2) Create a directory to house your CA. I generally use something like /var/sslca; you can really use whatever you want. Change the permissions of the directory to 700, so that people will not be able to access the private keys who aren’t supposed to.

3) Find the command ‘CA.sh’ (some distributions rename it to just ‘CA’; don’t ask me why.) Locations on various distributions:

Debian: /usr/lib/ssl/misc/CA.sh
RedHat 7.x+: /usr/share/ssl/misc/CA

Edit this file, and change the line that says ‘DAYS=”days 365″‘ to a very high number (this sets how long the certificate authority’s certificate is valid.) Be sure that this number is higher than the number is Step 1; or else Windows may not accept your certificates. Note that if this number is too high, it can cause problems – I generally set it for 15-20 years.

4) Run the command ‘CA.sh -newca’. Follow the prompts, as below. Example input is in red, and my comments are in blue. Be sure to not use any non-alphanumeric characters, such as dashes, commas, plus signs, etc. These characters may make things more difficult for you.

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) (enter)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.............................................................................+++
........................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:(enter password --this is the password you will need to create any other certificates.)
Verifying password - Enter PEM pass phrase: (repeat password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: (Enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state/province here)
Locality Name (eg, city) []: (Enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (Enter your company name here, or leave blank)
Organizational Unit Name (eg, section) []: (OU, if you like. I usually leave it blank.)
Common Name (eg, YOUR name) []: (The name of your Certificate Authority)
Email Address []:(E-Mail Address)
nate@example:~/sslca$


Let’s also generate a crl file, which you’ll need on your gateway boxes:

nate@example:~/sslca$ openssl ca -gencrl -out crl.pem

You’ll need to update this CRL file any time you revoke a certificate.

That’s it, you now have your own certificate authority that you can use to generate certificates.

Generating a Certificate

You will need to generate a certificate for every machine that will be making an IPSec connection. This includes the gateway host, and each of your client machines. This section details how to create the certificate, and convert it to formats needed for Windows and such.

Again, we’ll be using the CA.sh script. Except this time, instead of telling it to create a new Certificate Authority, we’re telling it to request, then sign a certificate:

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newreq

Using configuration from /usr/lib/ssl/openssl.cnf

Generating a 1024 bit RSA private key

……………………………..+++

………………………….+++

writing new private key to ‘newreq.pem’

Enter PEM pass phrase:(enter password) Password to encrypt the new cert’s private key with – you’ll need this!

Verifying password – Enter PEM pass phrase:(repeat password)

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:US(enter)

State or Province Name (full name) [Some-State]:State(enter)

Locality Name (eg, city) []:City(enter)

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter)

Organizational Unit Name (eg, section) []:(enter)

Common Name (eg, YOUR name) []:host.example.com(enter)This can be a hostname, a real name, an e-mail address, or whatever

Email Address []:user@example.com(enter) (optional)

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:(enter)

An optional company name []:(enter)

Request (and private key) is in newreq.pem

What we just did is generate a Certificate Request – this is the same type of request that you would send to Thawte or Verisign to get a generally-accepted SSL certificate. For our uses, however, we’ll sign it with our own CA:

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -sign

Using configuration from /usr/lib/ssl/openssl.cnf

Enter PEM pass phrase:(password you entered when creating the ca)

Check that the request matches the signature

Signature ok

The Subjects Distinguished Name is as follows

countryName :PRINTABLE:’US’

stateOrProvinceName :PRINTABLE:’State’

localityName :PRINTABLE:’City’

organizationName :PRINTABLE:’ExampleCo’

commonName :PRINTABLE:’host.example.com’

emailAddress :IA5STRING:’user@example.com’

Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days)

Sign the certificate? [y/n]:y(enter)

1 out of 1 certificate requests certified, commit? [y/n]y(enter)

Write out database with 1 new entries

Data Base Updated

(certificate snipped)

Signed certificate is in newcert.pem

Next, move the output files to names that make a bit more sense for future reference.

nate@example:~/sslca$ mv newcert.pem host.example.com.pem

nate@example:~/sslca$ mv newreq.pem host.example.com.key

That’s all that’s required for Openswan boxes – you’ll need these two files, along with the file ‘cacert.pem’ from the ‘demoCA’ directory, and the ‘crl.pem’ file you generated earlier.

If this certificate is needed for a Windows box, you’ll need to convert it to a p12 format:

$ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12

[ad name=”Chitika 728×90 Leaderboard”]

Installing Openswan

You’ll need to install Openswan each Linux box you want to speak IPSec.

Openswan now integrates all of the important patches, including X.509 and NAT Traversal. If you want to build it from scratch, you can download it from http://www.openswan.org/code, and follow the installation directions included with the package.

You now have two options for which IPSec stack you want to install in the kernel – you can either use Openswan’s IPSec stack (Klips), or use the built-in IPSec stack in the 2.6 kernel (26sec). If you are running on a stock 2.4 kernel, the only option is Klips. You’ll need to patch NAT Traversal support into your kernel (if you intend to use it), and build the ipsec.o kernel module. Otherwise, if you are using a 2.6 kernel or a 2.4 kernel with backported 26sec support (such as the kernel Debian provides), you don’t need to touch the kernel-land at all – you can just install the Openswan user-land utilities and go. Note that there isn’t as of yet an option to use Klips on the 2.6 kernel; it is on the Openswan developer’s to-do list, but isn’t a real high priority.

You’ll also need the user-land utilities. If you are installing from source, ‘make programs ; make install’ should get you what you need. Otherwise, if you are running Debian testing or unstable, you can just run ‘apt-get install openswan’ to get the user level utilities. ATrpms provides a Openswan package for recent versions of RedHat and Fedora Core; for more information on that, see http://atrpms.net.

Once you’ve selected and set up your IPSec stack and installed the user-land programs, you’re ready to move on to configuring Openswan.

Installing the Certificate on your Gateway

This discusses how to install the certificate on your gateway machine. These same steps apply for installing the cert on Openswan clients, too. I’m assuming you’ve already created a certificate for each machine (see the “Generating a Certificate” section) – if that’s not the case, please go back and do that now.

1) Install the files in their proper locations (if installing to a remote machine, please be sure to copy the files in a secure manner):

$ cp /var/sslca/host.example.com.key /etc/ipsec.d/private

$ cp /var/sslca/host.example.com.pem /etc/ipsec.d/certs

$ cp /var/sslca/demoCA/cacert.pem /etc/ipsec.d/cacerts

$ cp /var/sslca/crl.pem /etc/ipsec.d/crls/crl.pem

Configuring Openswan on the Gateway Machine

1) Configure ipsec.secrets:

/etc/ipsec.secrets should contain the following:

: RSA host.example.com.key “password”
The password above should be the PEM passphrase that you entered while generating the SSL certificate.

2) Configuring ipsec.conf

/etc/ipsec.conf should look something like the configuration below (note that the indentation is important; without it, openswan will fail):

version 2.0

config setup

interfaces=%defaultroute

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default

keyingtries=1

compress=yes

disablearrivalcheck=no

authby=rsasig

leftrsasigkey=%cert

rightrsasigkey=%cert

conn roadwarrior-net

leftsubnet=(your_subnet)/(your_netmask)

also=roadwarrior

conn roadwarrior

left=%defaultroute

leftcert=host.example.com.pem

right=%any

rightsubnet=vhost:%no,%priv

auto=add

pfs=yes

conn block

auto=ignore

conn private

auto=ignore

conn private-or-clear

auto=ignore

conn clear-or-private

auto=ignore

conn clear

auto=ignore

conn packetdefault

auto=ignore

This configuration will set things up so anyone with a valid certificate signed by your CA will be able to connect to your host. There are two connection profiles: one for a connection directly to the gateway, and one for the client to connect to the network behind the gateway. This configuration also includes NAT Traversal configuration that will allow anyone a host behind a NAT gateway using RFC1918 private addresses (defined in the ‘virtual_private’ line) to connect. All of the ‘auto=ignore’ entries are used to disable Opportunistic Encryption (OE), as it can cause problems if not configured properly.

If you are planning on having Windows boxes connect to your host using L2TP over IPSec, you’ll also need the following connections, somewhere above the ‘roadwarrior’ definition:

conn roadwarrior-l2tp

pfs=no

leftprotoport=17/0

rightprotoport=17/1701

also=roadwarrior

conn roadwarrior-l2tp-updatedwin

pfs=no

leftprotoport=17/1701

rightprotoport=17/1701

also=roadwarrior

In addition, if you want to have clients tunnel all traffic via IPSec, you’ll need a connection that allows that. The following is what I recommend (again, add above roadwarrior):

conn roadwarrior-all

leftsubnet=0.0.0.0/0

also=roadwarrior

Client Setup: Openswan

1) Follow the steps under ‘Generating a Certificate‘ to create a new certificate for the client machine, modifying file names and such as needed. (We will refer to the files for this client as ‘clienthost.example.com’.)

2) Copy the following files (in a secure fashion) over to your client:

host.example.com.pem (your gateway’s certificate file)

clienthost.example.com.key

clienthost.example.com.pem

cacert.pem

crl.pem

3) Copy the files into their proper locations:

$ cp clienthost.example.com.key /etc/ipsec.d/private

$ cp clienthost.example.com.pem /etc/ipsec.d/certs

$ cp host.example.com.pem /etc/ipsec.d/certs

$ cp crl.pem /etc/ipsec.d/crls

$ cp cacert.pem /etc/ipsec.d/cacerts/cacert.pem

4) Configure ipsec:

ipsec.secrets:

: RSA clienthost.example.com.key “password”

ipsec.conf:

version 2

config setup

interfaces=%defaultroute

nat_traversal=yes

conn %default

keyingtries=1

compress=yes

authby=rsasig

leftrsasigkey=%cert

rightrsasigkey=%cert

conn roadwarrior-net

leftsubnet=(your_subnet)/(your_netmask)

also=roadwarrior

conn roadwarrior

left=(ip.of.host)

leftcert=host.example.com.pem

right=%defaultroute

rightcert=clienthost.example.com.pem

auto=add

pfs=yes

conn block

auto=ignore

conn private

auto=ignore

conn private-or-clear

auto=ignore

conn clear-or-private

auto=ignore

conn clear

auto=ignore

conn packetdefault

auto=ignore

5) Start the VPN link, and make sure everything works:

# /etc/init.d/ipsec restart

$ ipsec auto –up roadwarrior

$ ipsec auto –up roadwarrior-net

6) If you would like to have the links start automatically, change ‘auto=add’ to ‘auto=start’.

Client Setup: Windows 2000/XP

NOTE: If you have previously installed SSH Sentinel, and want to use the built-in Windows IPSec stack, you will need to uninstall (or disable) SSH Sentinel, and enable the ‘ipsec’ service. I know this has tripped a few people up. This also applies for any other IPSec client you may have installed – you *need* to make sure it’s disabled before trying to use the built in IPSec service.

NOTE #2: The HTML guy at my previous employer went through and made screenshots of the process of importing a certificate. These screenshots are available at http://support.real-time.com/open-source/ipsec/index.html. Please do NOT e-mail Real Time with any questions related to this; I no longer work there, and don’t want them to get a flood of questions about this.

1) Create the certificate, again following the steps under ‘Generating a Certificate‘. We’ll assume that you call the Windows 2000 certificate ‘winhost.example.com’. You’ll need to follow the directions to output a .p12 file.

Also run the following, and make a note of it’s output:

$ openssl x509 -in demoCA/cacert.pem -noout -subject

You will need this for your VPN configuration.

2) Copy this file over to the Windows machine in a secure fashion, such as ‘scp’ or with a floppy disk. Don’t use FTP!

3) Download Marcus Müller’s ipsec.exe utility from http://vpn.ebootis.deand unzip it to some directory on your Windows machine (I generally use c:\ipsec)

4) Create a IPSEC + Certificates MMC

Start/Run/MMC

File (or Console) – Add/Remove Snap-in

Click on ‘Add’

Click on ‘Certificates’, then ‘Add’

Select ‘Computer Account’, and ‘Next’.

Select ‘Local computer’, and ‘Finish’.

Click on ‘IP Security Policy Management’, and ‘Add’.

Select ‘Local Computer’, and ‘Finish’

Click ‘Close’ then ‘OK’

5) Add the certificate

Click the plus arrow by ‘Certificates (Local Computer)’

Right-click ‘Personal’, and click ‘All Tasks’ then ‘Import’

Click Next

Type in the path to the .p12 file (or browse and select the file), and click ‘Next’

Type the export password, and click Next

Select ‘Automatically select the certificate store based on the type of certificate’, and click Next

Click Finish, and say yes to any prompts that pop up

Exit the MMC, and save it as a file so you don’t have to re-add the Snap Ins each time

6) Set up the IPSec utility

Install ipsecpol.exe (Windows 2000) or ipseccmd.exe (Windows XP) as described in the documentation for the ipsec utility. Note that for Windows XP SP2, you’ll need a new version of ipseccmd.exe – it can be downloaded from http://support.microsoft.com/default.aspx?scid=kb;en-us;838079.

Edit your ipsec.conf (on the windows machine), replacing the “RightCA” with the output of the ‘openssl x509 -in demoCA/cacert.pem -noout -subject’; reformatted as below (you need to change the /’s to commas, and change the name of some of the fields — just follow the example below):

conn roadwarrior

left=%any

right=(ip_of_remote_system)

rightca=”C=US,S=State,L=City,O=ExampleCo,CN=CA,Email=host@example.com”

network=auto

auto=start

pfs=yes

conn roadwarrior-net

left=%any

right=(ip_of_remote_system)

rightsubnet=(your_subnet)/(your_netmask)

rightca=”C=US,S=State,L=City,O=ExampleCo,CN=CA,Email=host@example.com”

network=auto

auto=start

pfs=yes

If you would like to encrypt all data over the tunnel, the following should work (if you have set up the Linux side properly):

conn roadwarrior-all

left=%any

right=(ip_of_remote_system)

rightsubnet=*

rightca=”C=US,S=State,L=City,O=ExampleCo,CN=CA,Email=host@example.com”

network=auto

auto=start

pfs=yes

7) Start the link

Run the command ‘ipsec.exe’. Here’s example output:

C:\ipsec>ipsec

IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller

Getting running Config …

Microsoft’s Windows XP identified

Host name is: (local_hostname)

No RAS connections found.

LAN IP address: (local_ip_address)

Setting up IPSec …

Deactivating old policy…

Removing old policy…

Connection roadwarrior:

MyTunnel : (local_ip_address)

MyNet : (local_ip_address)/255.255.255.255

PartnerTunnel: (ip_of_remote_system)

PartnerNet : (ip_of_remote_system)/255.255.255.255

CA (ID) : C=US,S=State,L=City,O=ExampleCo,…

PFS : y

Auto : start

Auth.Mode : MD5

Rekeying : 3600S/50000K

Activating policy…

Connection roadwarrior-net:

MyTunnel : (local_ip_address)

MyNet : (local_ip_address)/255.255.255.255

PartnerTunnel: (ip_of_remote_system)

PartnerNet : (remote_subnet)/(remote_netmask)

CA (ID) : C=US,S=State,L=City,O=ExampleCo,…

PFS : y

Auto : start

Auth.Mode : MD5

Rekeying : 3600S/50000K

Activating policy…

C:\ipsec>

Now, ping your gateway host. It should say ‘Negotiating IP Security’ a few times, and then give you ping responses. Note that this may take a few tries; from a T1 hitting a VPN server on a cable modem, it usually takes 3-4 pings. Do the same for the internal network on the remote end, and you should be up!

[ad name=”Google Adsense 728×90″]

Some common errors, and resolutions for them

I’ve tried to make it as simple as possible to follow the above instructions, but sometimes it just doesn’t quite work right. :) If you have trouble, feel free to e-mail me, or join the FreeS/WAN mailing list and ask your questions there (many times, you will get a quicker response there, as there are more people listening at any given time, and most of them are smarter than me!). But, just in case you’ve got one of the really common problems, here’s a few problems and solutions:

1) Logging on the Windows side (helps troubleshoot certificate errors, etc)

Yes, it is actually possible to enable logging on the Windows box! To do this, follow the directions at Microsoft’s Basic IPSec Troubleshooting in Windows 2000 page — look for the section entitled ‘Obtaining an Oakley Log’.

2) Pinging from the Windows side shows ‘Negotiating IP Security’, but the tunnel never comes up!

This is one of the most common problems people have, and is usually caused by problems with rightca= on the Windows side. To verify that you have that set properly, follow these instructions:

– Load the IPSec MMC you created earlier

– Click IP Security Policies; double-click on the FreeSwan tunnel

– Double-click roadwarrior-Host filter

– Click on the ‘Authentication Methods’ tab

– Click ‘Add’, then ‘Use a certificate from this CA’

– Click Browse, find your CA

– Copy/paste the text in the grayed-out box into your ipsec.conf

In many cases, that’ll clear up the issues – if it doesn’t, check your log for errors.

More troubleshooting tips to come soon, assuming I get time to write them. :)

Let me know if the above doesn’t make sense, and I’ll try to help you out. :)

References

FreeS/WAN Documentation: http://www.freeswan.org

X.509 Patch Documentation: http://www.strongsec.com/freeswan

The Windows 2000 VPN Tool Documentation: http://vpn.ebootis.de

Microsoft’s Basic IPSec Troubleshooting page: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225

This one is purely for the geeks, and I’m just posting it because I couldn’t find a definitive answer on the web: if you have a Cisco 2801 and want to add more memory (there is 128mb soldered on the board), standard pc133 sodimm memory (ie, the same kind you use in older laptops) will work just fine! Yippie!

Cisco 2801 (revision 5.0) with 356352K/36864K bytes of memory.

If you try to compile the nvidia kernel module on 2.6.20 or higher kernels that have paravirt_ops enabled (like the Debian kernels), you will run into a problem – it’ll complain that a non-GPL compatible license is using the GPL-only code paravirt_ops. I finally found a workaround (other than building the kernel without paravirt ops) – thanks to this page, you can just modify your kbuild source to get things to work. Here’s a quote from that site:

Delete the following two lines (1197-1198) in file modpost.c:

if (!mod->gpl_compatible)
check_for_gpl_usage(exp->export, basename, exp->name);

I rebuilt the 2.6.21 linux-kbuild package for Debian with the above changes, and lo and behold, it works! Thanks!

I’ve gotten tired of my custom-written MySQL app to handle my resume, so I decided to scrap it and try out xml-resume-library to maintain it. It’s quite interesting, and I think the results are pretty good.. my resume page has been converted over to it, check it out!

One of the really cool things that this library lets you do is have a single XML file that you can transform (with stylesheets) into plain-text, pdf, html, etc. Right now, the page is static; however, in the future, I plan to try out PHP5’s XSL library to do the transformation for me. That way, I should just be able to update a XML file, copy it to my web server, and have the resume auto-update – including links to download a pdf or text version. Cool, eh?

[Edit 2007/04/07] OK, I went and made everything dynamic now – there’s just an XML file sitting on disk that all the pages get generated from. Hurrah! Check it out.

Tiff and I are taking a trip to Texas in March for a family reunion thingy, and I really wanted to get some sort of navigation system for while we are down there. On a whim, I tried out TomTom’s PDA edition, with a QStarz bluetooth GPS. I’ve been really shocked at how well it works – it’s actually better than many in-car navigation systems I’ve tried. In any case, I highly recommend the combo!

Tiff and I recently decided to start using Google Calendar to start organizing our lives.. it’s been going pretty good so far. I’m currently using a Cingular 8125 Pocket PC for my cell phone, and wanted to be able to sync the Google calendars down to the phone. After experimenting with many programs, I finally ran across OggSync, which is payware ($30/year), but it’s worth it – it’s a seamless way to sync my phone’s calendar to all of our Google Calendars directly over the phone’s internet connection.

The one thing I haven’t been able to find yet is a sync program for Outlook (yeh, I have to use it at work) that works properly.. does anyone have any suggestions?

OK, like most fledgling bloggers out on the ‘net, I’m becoming an utter failure when it comes to updating this bad boy on a regular basis. Sorry ’bout that. Just a few random notes:

• I’m extremely busy. Work. Work. Work.
• I’m now the official NBC Sports sysadmin at my company. That means work. Lots of it.. sometimes.
• We’re ditching T-Mobile. Their customer service and quality of phone service has been going way downhill for us over the last couple years, and the last straw was when my 4-month old phone died, and they wanted to charge me $10 to ship a replacement, and the rep’s supervisor couldn’t reverse the charge. Uh, I’ve been a customer for ~12 years (well, of various companies that got swallowed up by T-Mobile, at least) — the least they could do is swallow ten stinkin’ bucks. Ah well, I got in touch with the CEO’s office, got that charge reversed, and they agreed to cancel my contracts. We’re going to give Cingular a shot, since Tiff gets a discount with them through her work.. I’m sure they suck too, but hopefully it’ll at least be in some different way. On a side note, I’m also going to try out a PDA phone, to see if that’ll help get me organized a bit.
• As far as the burglary of my neighbor’s house, I’m not sure if the guy’s been caught yet, but my neighbor did get the nice ring she was upset about back. Woohoo!

Well, that’s it for a mini-update for now – I’ll do my best to post something geeky here soon.

Oh, yeah, by the way, some youth pastor decided that blogging is a sin.. heh! Silly!

I’ve seen a wide gamut of those “control panel” things for hosting providers, and most of the ones I’ve looked at, I haven’t liked. They usually cost tons of money, use software I hate (ie, qmail), and do not integrate well with my preferred distribution (Debian). I ran across one today that seems to work pretty darn well — SysCP.

Advantages:

• Designed for Debian
• Open-source
• Uses “good” software (Apache, Postfix, Courier’s pop3 daemon, etc)
• Stores users in MySQL, so they are entirely virtualized
• Fairly easy-to-use web interface

Things I don’t like about it (right now):

• Only supports woody/sarge
• Only supports Apache version 1, and PHP version 4 (probably easily worked around)

So far, so good.. I will probably move my virtual hosting over to this platform eventually, with redundant MySQL servers and mail servers and such. Because it uses postfix and virtual MySQL mailboxes, it should also tie in very well with Maia Mailguard.

Original Post: August 14, 2006 @ 20:18
This morning, around 9:00, I took my dog out on a walk, and there was a strange car across the street from my house. When I walked across the street, a guy I didn’t know walked up from behind the house with what I thought was a towel draped over his arm. I said hey, he said “how’ya doin?”, and I noticed that he had really bad teeth. Then, he got into his car and drove away. Something was bothering me about him, so I took a look at the license plate, and walked back behind the townhouses (it’s backing up against a nature area), and took a look around.. I didn’t see anything unusual, so I assumed he must’ve been there for a reason, and wrote it off.

Then, tonight we were walking Chimo again, and noticed a police car by the neighbor’s house. I asked our neighbor what was up, and it turned out that someone had gotten into their house through the back porch door, which was unlocked, and stolen some items, including a ring and and a pillowcase. The timing was perfect – they had been gone from ~8:30-10:00 this morning. I gave the police officer all the information I could remember (make/model/color of the car, a general description of the guy, and that the license plate had sequential numbers in it), but I am really kicking myself for not going with my instincts and calling the cops right away, or at least writing the license plate down. If the police do find the guy, at least I will be able to pick him up out of a lineup — he had fairly distinctive features.

Ah well.. next time. I guess it’s better to be paranoid about something and be wrong than to dismiss something but have been right. Our house is gonna be locked up tight for the near term.. hopefully the police will catch the guy.

Update: August 22, 2006 @ 13:35
Well, the detective just called me back on this.. it turns out that the guy has robbed 14-15 other houses, and the car I saw him in was stolen out of a house in July. LOVELY! They are having me come in to look over some mug shots and such.

Well, my pet project (from an infrastructure perspective) for the last couple months is finally up and live — check it out. Note I can’t take any credit for the coolness of the site — that’s the excellent design team down the hall from me.

In any case, I was fortunate(?) enough to miss the blood, sweat, and tears of launch week.. it’s a good thing that Tiff and I picked August 16th for our wedding date, so I had the launch week off work long before the launch was scheduled! My coworkers did an excellent job getting everything up.

Well, I know this is meaningless for many of my regular readers.. but Tiff and I *finally* have grass in our yard! WOOHOO! Only three months late..

I’ll post pictures once the sod’s rooted a bit.. :)

Thought I’d post some more pictures on my last full day here in Vancouver.. this is following up on this post. :)

Yesterday afternoon, after the talks, I decided to wander the waterfront a bit.. here’s a few pictures from down there:

Just a shot of the waterfront.

Concession staff wearing a shirt saying “Vancouver’s Sexiest Staff” — does it really matter? Really, I just want food!

Even the new buildings here are cool.

Then, after the lights went out, I decided to wander and take some shots.

My attempt at the Granville Street Bridge. Mostly failed, but still kind of cool!

First angle of the Lion’s Gate Bridge.

The Lion’s Gate Bridge and the city of Vancouver BC from Cypress Mountain at night

[ad name=”Google Adsense 728×90″]

I think I’ll have to go practice some more late-night photography tonight.. it’s fun!

I am currently in Vancouver for the USENIX Security ’06 conference. The trip and conference have been pretty good so far.. here’s a basic summary:

Day 1 – Saturday, July 29, 2006:

Tiff dropped me off at the airport, dropped my luggage off and got through security without any snags. Since I upgraded my ticket to first class, I got to hand out at the Worldclubs lounge before the flight.. very nice; free drinks, free internet, comfortable chairs, and most importantly, quiet. About 15 minutes before my flight was supposed to board, I wandered down to the gate, and boarded soon after. I was sitting by a guy who’s working in Taiwan right now, and had some interesting pre-flight conversations.. then we pretty much stayed to ourselves during the actual flight. I gotta say, I much prefer first class.. there’s actually enough room to feel comfortable, and you get pretty good service. When I arrived in Vancouver, I went through customs (pain-free again; just a 15-minute wait.. not bad), and then waited another half hour or so for my luggage to show up. Then, I headed down to the parking ramp to pick up my car.. ended up with a Chrysler 300; I’d never driven one of the recent models before, and I’m actually quite impressed! Here’s a shot of the car:

I drove through the nasty Vancouver traffic to the hotel.. and didn’t know where I was supposed to turn to get into it, and ended up driving by it. I had to go up about 4 blocks before I could turn around, and it took me another 15-20 minutes to find the silly hotel ramp.. that wasn’t much fun. After I got to the hotel, I ended up crashing for the rest of the day.. I guess I was tired!

Day 2 – Sunday, July 30, 2006:

On Sunday, I decided to head over to the Capilano Suspension Bridge, since I had heard impressive things about it. I was rather disappointed.. it was an interesting experience, but you really couldn’t do much “nature”-ish stuff.. you were basically limited to a small set of trails they had set up for you. Ah well, it was still fun.

After that, I thought I’d head up to Whistler, and try to go on a Gondola ride to the peak of a mountain. Unfortunately, there was construction all the way up Highway 99, so I arrived too late to do that, so I just wandered the city for awhile – looks like a nice town! Then, I headed back to the hotel to crash again.

Day 3 – Monday, July 31, 2006:

Monday was the first day of the conference. I attended the “DDoS for Fun and Profit” session; it was interesting, but nothing I didn’t already know. I didn’t really do anything afterwards.. just hung out in the hotel room, watched some TV, and did some work.

Day 4 – Tuesday, August 1, 2006:

Tuesday was my “Security Without Firewalls” session. Much more interesting; they basically reinforced a bunch of stuff I already knew. One thing they did is a basic tutorial on cfengine, which is a configuration management utility. I’ve always meant to dig into it, but hadn’t had the time.. they boiled it down enough that I’m gonna have to play with it when I get back home. Once again, after the sessions were done, I went to my room and crashed.

Day 5 – Wednesday, August 2, 2006:

Wednesday was the first day of talks and such instead of sessions. I went to a few talks in the morning and afternoon; a bunch of interesting stuff, but nothing that really applied to what I’m doing at work. It was still fun to hear about what people really in the security research field are up to, however. After the talks, I decided to head out to the Lynn Headwaters Regional Park. I was much more impressed with this park than with Capilano – even the suspension bridge was cooler. :) Here are few pictures of the park and bridge:

I was going to hike down to the falls, but my ankle started giving me trouble, so I decided to head back to the hotel. I hung out for a couple hours, had dinner in my room (it actually ends up costing less than going down to the restaraunt, interestingly.. I still haven’t found any inexpensive restaraunts in the area – bummer), and then decided to go explore Vancouver at night (around midnight), looking for interesting picture opportunities. I didn’t find anything really interesting, except for a park full of kids making out in cars – I guess every city’s gotta have one. Maybe I’ll go exploring some more tonight – I’ll have to see. I was inspired by this shot — I will have to head over to that area.

Oh, and the hotel’s good at a good presentation for dinner, even if you order room service:

Day 6 – Thursday, August 3, 2006:

This is today, which obviously isn’t done yet. :) I’ve gone to two talks so far — one regarding software’s security improving with age, and then another regarding how wiretaps are done, and vulnerabilities in the system. Both were quite interesting, and worth going to. I’m haven’t yet decided which other sessions I want to go to today.

Well, I’ll post more later!

I’ve always hated earbud headphones because the sound just wasn’t that great on them, and they always fell out of my ears. At the same time, I loved them because they were small and didn’t get in the way. The other day, I noticed a deal that Amazon was offering on the Shure E2c isolating earphones. Basically, they are a pair of earbuds with integrated earplugs. I’ve always liked the Shure brand for professional mic’s and such, so figured I’d give these a shot. They just showed up on my desk, and sound really good so far.. I still need to work on the fit a little bit to get bass response, but my initial impression is “wow — I didn’t realize those instruments were in this song!”. I’d highly recommend them on my experience so far.. I’ll try to remember to post a follow-up to this after I’ve used them more, including on a plane ride in a couple weeks.

I’m sure my coworkers will hate these things, since they will actually have to walk over and slap me over the back of my head instead of just yelling at me. Ah well..

Oh, yeah, you can also see what I’m listening to over on the sidebar. Yeah, I’m a geek.

I purchased a 50″ Samsung DLP TV at Sam’s Club in Sep ’04. When I purchased it, the guy who was helping me with it asked me if I’d like to purchase an extended warranty. I had previously read that Sam’s will let you return items after any period if they break, as long as there’s no physical damage, so I asked about that.. he basically said that yeah, if the TV ever broke, I could return it — all the extended warranty would do is have someone come out to my house to fix it, so I didn’t have to hassle with it. So, I just purchased the TV alone, for $2800 + tax.

A couple months after the purchase, I had been holding onto the box, and was wondering if I could get rid of it.. I called Sam’s 800#, and asked if I needed to keep the box to return the TV. The guy said “well, technically we’re supposed to say yes, but they will probably accept the return without the box.” Since we didn’t have much storage space, and we didn’t expect problems with the TV (so we wouldn’t need to return it), I went ahead and trashed the box.

Over the last couple months, the TV’s been having problems where if we turn it off and try to turn it back on within an hour or so, it’ll just click a couple times and not turn on. We were living with it, but over the last week, it’s been refusing to turn on almost all the time; it seemed like it was a bad ballast, since when it would fire up, it’d stay on without any problems, and the ballast is not really a “user-replaceable” part. So, I finally got fed up, and decided to give the return policy a shot. I grabbed the TV, the remote, and my receipt, and wheeled it up to the customer service desk at my local Sam’s Club. I explained what was going on, and that I’d like to exchange the TV. The lady said “oh, ok”, then she looked at the date on the receipt, and said she’d have to call a manager over to approve it. The manager walked over, and said “no problem! Go find the TV you want.” I went over, and picked out a 50″ Sony LCD Projection TV, priced at $1950. Brought the tag back to the desk, and the next thing I knew, they had handed me a receipt for the new TV, complete with a $905 credit back to my Discover card.

So, basically, I got to use a TV for 1yr 10mo, and when it died, got a brand new TV with better features, and $905 to boot. The most I was expecting is that they’d do an even exchange for the TV, or at the absolute most, give me a store credit for the difference.

How’s that for customer service?

This document describes how to set up a VPN with Openswan combined with L2TPD. This provides for a more user-friendly experience than a standard IPSec VPN on many client operating systems. Note that for most site<->site VPN’s, you will still want straight IPSec.

If you’re not sure if IPSec is right for you, I have written a quick document about some of the various types of VPN available under Linux. It is available at: http://www.natecarlson.com/linux/linux-vpn.php. I hope this helps clear up some questions.

This page is heavily based on my basic IPSec configuration page, located at http://www.natecarlson.com/linux/ipsec-x509.php. The l2tpd configuration side is based on Jacco de Leeuw’s page, which is the definitive source for anything related to Openswan and L2TP. I’m just trying to simplify things for the average Linux geek — if you need more detailed information, or information about any clients other than Windows, check out his page. If you have any difficulties with this process, please e-mail the Openswan mailing list, or if you can’t get help from there, e-mail me at: ipsec@natecarlson.com.

All of my examples on this page are based on a Debian Sarge system, since all the packages required are readily available. Most examples are readily portable to other distributions; you will just need to get the required software for that distribution.

NOTE: I do occasionally post notes about new VPN options and such on my blog; see the VPN category at: http://www.natecarlson.com/category/geek-stuff/vpn. Also, if you are interested in consulting services to help you set things up, I am available on a very limited basis – please see my consulting page.

[ad name=”Google Adsense 728×90″]

Contents:
Setting up a Certificate Authority
Generating a Certificate
Installing Openswan
Installing the Certificate on your Gateway
Configuring Openswan on the Gateway Machine
Configuring l2tpd on the Gateway Machine

Client Setup: Windows XP
Client Setup: Real IPSec Clients
Some common errors, and resolutions for them
References used to write this document

Setting up your Certificate Authority
I’m assuming you want to use X.509 certificates for authentication. It may be possible to get this working with pre-shared keys, but I haven’t tried it. I am also assuming that you will need your own Certificate Authority dedicated to VPN usage – if you already have access to a CA, you may just want to generate certificates from there (if that’s the case, you can just skim this section.) If you need more details that I am going into here, please read the OpenSSL documentation — it’s fairly detailed. For CA certificate management, my examples use the utilities included with OpenSSL itself – there are third-party tools out there that make this a bit simpler, but I want to keep dependencies low. Note that you do not necessarily need to use your Openswan gateway as the Certificate Authority – it can be any box with OpenSSL installed. In fact, it may be better to use a different box, so if an attacker gains access to your Openswan gateway they don’t have access to your CA, too. If you have any suggestions on how to make this process simpler, please let me know!

Now, on to the good stuff – let’s start setting up our own CA.

[ad name=”Chitika 728×90 Leaderboard”]

1) Install openssl. On Debian, ‘apt-get install openssl’ will take care of this.
2) Find your openssl.cnf file. This file has default values for OpenSSL certificate generation. Here’s a few locations for various distributions:

Debian: /etc/ssl/openssl.cnf
RedHat 7.x+: /usr/share/ssl/openssl.cnf

Open this file in your favorite editor. We will need to change the following options:

‘default_days’: This is the length of time, in days, that your certificates will be valid for, and defaults to 365 days, or 1 year. I recommend setting this to ‘3650’, as that will give you 10 years of validity on your certificates. Since this is for internal use, I am ok with the security ramifications of having a certificate valid for a long time – if you lose it or whatnot, you can revoke it without a problem.

‘[ req_distinguished_name ]’ section: You don’t really *need* to change the options below req_distinguished_name; they just set the default options (such as location, company name, etc) for certificate generation. I find it’s easier to set them here than re-type them for every certificate.

3) Create a directory to house your CA. I generally use something like /var/sslca; you can really use whatever you want. Change the permissions of the directory to 700, so that people will not be able to access the private keys who aren’t supposed to.

4) Find the command ‘CA.sh’ (some distributions rename it to just ‘CA’; don’t ask me why.) Locations on various distributions:

Debian: /usr/lib/ssl/misc/CA.sh
RedHat 7.x+: /usr/share/ssl/misc/CA

Edit this file, and change the line that says ‘DAYS=”days 365″‘ to a very high number (this sets how long the certificate authority’s certificate is valid.) Be sure that this number is higher than the number is Step 1; or else Windows may not accept your certificates. Note that if this number is too high, it can cause problems – I generally set it for 15-20 years.

5) Run the command ‘CA.sh -newca’. Follow the prompts, as below. Example input is in red, and my comments are in blue. Be sure to not use any non-alphanumeric characters, such as dashes, commas, plus signs, etc. These characters may make things more difficult for you.

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create) (press enter)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.............................................................................+++
........................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: (enter password -- This is the password you will need to create any other certificates.
Verifying password - Enter PEM pass phrase:(repeat password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: (country -- enter your two-letter country code here
State or Province Name (full name) [Some-State]: (Enter your state/province here)
Locality Name (eg, city) []: (Enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []: (OU, if you like. I usually leave it blank)
Common Name (eg, YOUR name) []: (The name of your Certificate Authority)
Email Address []: (E-Mail Address)
nate@example:~/sslca$

Let’s also generate a crl file, which you’ll need on your gateway boxes:

nate@example:~/sslca$ openssl ca -gencrl -out crl.pem

You’ll need to update this CRL file any time you revoke a certificate.

That’s it, you now have your own certificate authority that you can use to generate certificates.

Generating a Certificate
You will need to generate a certificate for every machine that will be making an IPSec connection. This includes the gateway host, and each of your client machines. This section details how to create the certificate, and convert it to formats needed for Windows and such.

Again, we’ll be using the CA.sh script. Except this time, instead of telling it to create a new Certificate Authority, we’re telling it to request, then sign a certificate:

nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...................................+++
...............................+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: (Enter password to encrypt the new cert's private key with - you'll need this!
Verifying password - Enter PEM pass phrase: (repeat password)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: (Country)
State or Province Name (full name) [Some-State]: (State)
Locality Name (eg, city) []: (City)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (Company)
Organizational Unit Name (eg, section) []: (Blank)
Common Name (eg, YOUR name) []: ("Common Name" -- hostname, username, whatever)
Email Address []: (User's email address)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (Leave blank)
An optional company name []: (Leave blank)
Request (and private key) is in newreq.pem

What we just did is generate a Certificate Request – this is the same type of request that you would send to Thawte or Verisign to get a generally-accepted SSL certificate. For our uses, however, we’ll sign it with our own CA:


nate@example:~/sslca$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase:(password you entered when creating the ca)
Check that the request matches the signature

Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'State'
localityName :PRINTABLE:'City'
organizationName :PRINTABLE:'ExampleCo'
commonName :PRINTABLE:'host.example.com'
emailAddress :IA5STRING:'user@example.com'
Certificate is to be certified until Feb 13 16:28:40 2012 GMT (3650 days)
Sign the certificate? [y/n]:(Press 'y', then enter)

1 out of 1 certificate requests certified, commit? [y/n] (Press 'y', then enter)
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Next, move the output files to names that make a bit more sense for future reference.

nate@example:~/sslca$ mv newcert.pem host.example.com.pem
nate@example:~/sslca$ mv newreq.pem host.example.com.key

That’s all that’s required for Openswan boxes – you’ll need these two files, along with the file ‘cacert.pem’ from the ‘demoCA’ directory, and the ‘crl.pem’ file you generated earlier.
If this certificate is needed for a Windows box, you’ll need to convert it to a p12 format:
$ openssl pkcs12 -export -in winhost.example.com.pem -inkey winhost.example.com.key -certfile demoCA/cacert.pem -out winhost.example.com.p12

Installing Openswan
You’ll need to install Openswan each Linux box you want to speak IPSec. This section covers installing the actual software..

If you are running Debian, there are binary packages available in Sarge and above. For RedHat or Fedora, ATrpms provides binary packages. I can’t vouch for the quality of these packages, but I do know many people have used them with good success. See http://atrpms.net. If you want to build it from scratch, you can download it from http://www.openswan.org/code, and follow the installation directions included with the package. I recommend the most recent version in the 2.2 series, until 2.3.1 is available – 2.3.0 has some critical bugs.

You now have two options for which IPSec stack you want to install in the kernel – you can either use Openswan’s IPSec stack (KLIPS), or use the built-in IPSec stack in the 2.6 kernel (26sec). If you are running on a stock 2.4 kernel, the only option is KLIPS. You’ll need to patch NAT Traversal support into your kernel (if you intend to use it), and build the ipsec.o kernel module. Otherwise, if you are using a 2.6 kernel or a 2.4 kernel with backported 26sec support (such as the kernel Debian provides), you don’t need to touch the kernel-land at all – you can just install the Openswan user-land utilities and go. With Openswan 2.3.1, we will also have support for KLIPS on 2.6, but without NAT Traversal support (until someone gets around to fixing it!) My current recommendation (and my only tested configuration) is to use a stock kernel, patched with NAT Traversal and with KLIPS added. If you bug me, I’ll probably provide patched up Debian packages. :) I have heard stories about l2tpd not working with the kernel stack.

Once you’ve selected and set up your IPSec stack and installed the user-land programs, you’re ready to move on to configuring Openswan.

[ad name=”Adsense 336×280″]

Installing the Certificate on your Gateway
This discusses how to install the certificate on your gateway machine. These same steps apply for installing the cert on Openswan clients, too. I’m assuming you’ve already created a certificate for each machine (see the “Generating a Certificate” section) – if that’s not the case, please go back and do that now.

1) Install the files in their proper locations (if installing to a remote machine, please be sure to copy the files in a secure manner):

$ cp /var/sslca/host.example.com.key /etc/ipsec.d/private
$ cp /var/sslca/host.example.com.pem /etc/ipsec.d/certs
$ cp /var/sslca/demoCA/cacert.pem /etc/ipsec.d/cacerts
$ cp /var/sslca/crl.pem /etc/ipsec.d/crls/crl.pem

Configuring Openswan on the Gateway Machine

1) Configure ipsec.secrets:
/etc/ipsec.secrets should contain the following:

: RSA host.example.com.key “password”

The password above should be the password you entered while generating the SSL certificate.

2) Configuring ipsec.conf
/etc/ipsec.conf should look something like the configuration below (note that the indentation is important; without it, openswan will fail):

version 2.0

config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
keyingtries=1

compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert

conn roadwarrior-net

leftsubnet=(your_subnet)/(your_netmask)
also=roadwarrior

conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior

conn roadwarrior

left=%defaultroute
leftcert=host.example.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes

conn roadwarrior-l2tp
type=transport
left=%defaultroute
leftcert=host.example.com.pem
leftprotoport=17/1701
right=%any

rightprotoport=17/1701
pfs=no
auto=add

conn roadwarrior-l2tp-oldwin
left=%defaultroute
leftcert=host.example.com.pem

leftprotoport=17/0
right=%any
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
pfs=no
auto=add

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

The ‘roadwarrior-*’ lines allow roadwarriors (IE, regular IPSec clients) to connect to your IPSec gateway itself, the network behind it, and to tunnel all traffic to the ‘net at large through it. The roadwarrior-l2tp entries allow both older and newer versions of Windows to connect to an l2tpd daemon running on the same host as your Openswan gateway. Anyone will a valid certificate signed by your CA will be able to connect to your gateway. This configuration also includes NAT Traversal configuration that will allow anyone a host behind a NAT gateway using RFC1918 private addresses (defined in the ‘virtual_private’ line) to connect. The ‘auto=ignore’ lines are there to disable Opportunistic Encryption, which can cause problems if not configured properly.

Configuring l2tpd on the Gateway Machine

1) Install l2tpd. On Debian (assuming you have ‘unstable’ in your sources.list), you can just ‘apt-get install l2tpd’; on other distributions, you can find a binary distribution, or grab the source from http://www.l2tpd.org. If building from source, you proably want to build from the CVS version.

2) Configure l2tpd. On Debian, you’ll need to edit the file ‘/etc/l2tpd/l2tpd.conf’. Here’s an example:


[global]
auth file = /etc/l2tpd/l2tp-secrets
[lns default]
ip range = 192.168.100.240-192.168.100.250
local ip = 192.168.100.254
require chap = yes
refuse pap = yes

require authentication = yes
name = MyVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.lns
length bit = yes


You’ll need to change the IP range to a block of unused addresses on your internal network that you would like to hand out to L2TP clients. The ‘Local IP’ should be the local IP address of your box. The ‘pppoptfile’ specifies which options file to use.

3) Configure your PPP options. From the example above, this is located at /etc/ppp/options.l2tpd.lns.

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.100.1
ms-wins 192.168.100.1
auth
crtscts
idle 1800
mtu 1200

mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd


You’ll need to change ms-dns and ms-wins to match your internal DNS and WINS servers. I’ve got the MTU set rather low so that packets won’t be fragmented – if you leave the MTU at 1500, you may find that things like SMB shares don’t work properly.

4) Set up your authentication file. This is at /etc/ppp/chap-secrets.

# Secrets for authentication using CHAP
# client server secret IP addresses
username * password *


You can define multiple users with this method. If it’s not obvious, ‘username’ is the username that will be used for authentication, and ‘password’ is the password. If you’d like to give a user a static IP, you can specify it in the fourth column, ‘IP Addresses’.

That’s it for the server side! Just start l2tpd with ‘/etc/init.d/l2tpd start’, and you’re set to go on to the clients.

Client Setup: Windows XP

This section covers configuring your Windows XP client to connect to the server with L2TP over IPsec.

First of all, please ensure that Windows XP SP2, or the NAT-Traversal patches are installed. This will help your ability to connect while behind a NAT gateway and such. Also, be sure to be logged in as a user with administrator privileges.

1) The first step is to import a certificate on your Windows box. For sake of simplicity, I’ll have you import the certificate using Xelerance’s ‘certimport.exe’ tool.

– Download certimport from ftp://ftp.openswan.org/openswan/windows/certimport/, extract it, and install certimport.exe somewhere easy to get at.

– Generate a certificate (as described above) for the box, and save the .p12 format file. Copy this file over to your Windows box in a temporary folder somewhere.
– Import the certificate with:

certimport.exe -p password certificate.p12


2) Set up your L2TP over IPSec connection, as follows.

– Start->Settings->Network Connections
– Create a New Connection

– Connect to the network at my workplace
– Virtual Private Connection
– Company Name: Your VPN Name
– Dial Connection: Yes or no, depending on your needs
– Host Name or IP: Hostname or IP to connect to
– Finish the connection, and go to the properties for it.
– Load the Networking tab
– Change the ‘Type’ to ‘L2TP IPSec VPN’
– Save your settings.

– Enter the username and password.

3) Connect! The VPN should come up nicely – if not, check the Linux side for errors.

Client Setup: Real IPSec Clients

I’m just covering setting up L2TP over IPSec connections on this page, but if you would like to set up Openswan or Windows IPSec clients, please see my other page at http://www.natecarlson.com/linux/ipsec-x509.php. Note that the server configuration above is alreadty set up to accept normal IPSec connections along with the L2TP connections.

Some common errors, and resolutions for them

I’ll add some common errors as I come by them.

References
Openswan Documentation: http://www.openswan.org
Jacco de Leeuw’s Page: http://www.jacco2.dds.nl/networking/freeswan-l2tp.html