Update of /cvsroot/leaf/devel/ccarr/old_doc
In directory usw-pr-cvs1:/tmp/cvs-serv14767/old_doc
Added Files:
bering_serial_ipsec.txt ipsec_conf.txt net4501_cf.txt
Log Message:
Initial import of old docs to get them off of my web server.
--- NEW FILE: bering_serial_ipsec.txt ---
This document has been created to describe and document two modifications to
the default Bering beta4 LEAF distribution:
1) Booting on a serial port console from compact flash media (specifically
pertaining to the Soekris net4501 - www.soekris.com)
2) Installing and configuring ipsec support using preshared secrets, RSA keys
or x509 certificates for peer authentication
Also, there is a sizeable portion of this document that covers the
configuration of the Windows 2000 IP Security Policy Utility. Please do not
let this part slow you down if you are not interested in interoperating with
Windows 2000 clients. It is extremely long, And I only wrote it down because
most of what I found on the internet about it was pure "click here - click
there" stuff and didn't really explain what was going on or the ramifications
of "clicking there." I spent a lot of time trying to figure out the dark
mysteries of their user interface, so hopefully, no one else will have to wear
out their mouse finger trying to do so.
This document assumes access to a linux workstation that can compile the 2.4
series of the linux kernel (Debian Woody was used for these examples), as well
as familiarity with the linux command line (including understanding how to
compile and patch the kernel). It also assumes direct access from this
workstation to the compact flash boot media itself, though with a little
thought, it is possible to conduct interim operations on the linux machine,
copy files to the boot media via some other means (Windows machine, tftp,
etc.). Those means are outside the scope of this document, and I don't know
how to do it, so it probably won't help to ask me.
You can email me directly with questions about this document at
[EMAIL PROTECTED], but I also monitor the leaf-users and soekris-tech
mailing lists, and for the sake of people who will one day be searching those
mailing list archives, I recommend posting your questions there.
The best resources for working with Bering are located at
http://leaf.sourceforge.net/devel/jnilo. Most recent releases are at
http://leaf.sourceforge.net/devel/jnilo/bering/latest. Also, portions of this
document use resources found at http://leaf.sourceforge.net/devel/cstein. I
always recommend starting with the latest release of something, and scripting
your changes, so they may be applied easily to later releases. Perl and/or
bash are your friend!
In order to prepare for the various mounting operations that are necessary for
getting Bering into serial console/compact flash/ipsec harmony, use the
following commands to make mount points for the various operations below. It
just helps to keep things straight:
mkdir -p /mnt/image # where the floppy image is mounted
mkdir -p /mnt/cf # mount your compact flash card here
mkdir -p /mnt/initrd # mount uncompressed initrd image here
Also, a scratch directory comes in handy for decompressing packages, making
modifications, then recompressing them.
mkdir ~/scratch
Well, let's get right to it:
SECTION 1 - GETTING BERING ONTO A HEADLESS, COMPACT FLASH BOOTING BOX
1) Download the Bering floppy image and mount it using
mount -t msdos bering-1680-b4.bin /mnt/image -o loop
2) Make an msdos filesystem on your compact flash card
mkdosfs /dev/hde1 # Mine is at hde, yours may be different. Use
# "dmesg" on the linux workstation to find out.
3) Mount the new filesystem on the compact flash card
mount -t msdos /dev/hde1 /mnt/cf
4) Copy all files from the mounted floppy image to the mounted compact flash
filesystem, umount and use syslinux to make it bootable.
a) cp /mnt/image/* /mnt/cf
b) umount /mnt/cf
c) syslinux /dev/hde1
5) Delete the unneeded package files and remove their references from
syslinux.cfg
a) rm keyboard.lrp ppp.lrp pppoe.lrp bridge.lrp pump.lrp syslinux.dpy
keyboard.lrp - not needed for english keyboards
ppp.lrp, pppoe.lrp - not needed for ethernet router
bridge.lrp - not needed for ethernet router
pump.lrp - not needed for static addressed router
syslinux.dpy - cannot be seen on serial boot
b) edit syslinux.cfg
c) remove "display syslinux.dpy" (if you removed the file above)
d) remove modules from "LRP=" line that were removed above
6) Compile the kernel with built-in serial support (serial console requires
non-modular serial support)
a) get config file from http://leaf.sf.net/devel/jnilo/bering/latest/
and copy it to /your/linux/kernel/source/tree/.config
b) cd /your/linux/kernel/source/tree/ make menuconfig; change serial
support from M to *, exit and save changes
c) make bzImage modules
d) cp arch/i386/boot/bzImage /mnt/cf/linux
Keep in mind that by compiling a new kernel, it is possible that you
have destroyed the exisiting modules that come with Bering. If you
have a desire to have those modules working, skip forward to step 11
and follow the instructions there to copy the following default modules
to your boot media to be backed up to modules.lrp:
3c59x.o
8390.o
eepro100.o
ip_conntrack_ftp.o
ip_conntrack_irc.o
ip_nat_ftp.o
ip_nat_irc.o
n_hdlc.o
ne.o
ne2k-pci.o
ppp_async.o
ppp_deflate.o
ppp_generic.o
ppp_synctty.o
pppoe.o
pppox.o
serial.o (you won't need this since it is inside your kernel now)
slhc.o
7) Copy the ide disk modules to the initrd.lrp package. This must be done so
that syslinux can find the rest of the packages during boot.
a) cd /mnt/cf
b) gunzip -S .lrp initrd.lrp
c) mount -t minix initrd /mnt/initrd -o loop
d) edit /mnt/initrd/boot/etc/modules to load the following modules (see
/mnt/initrd/boot/etc/README):
ide-mod
ide-disk
ide-probe-mod
e) copy the ide modules from your kernel compile directory to the
mounted initrd image
cp /your/linux/kernel/source/tree/drivers/ide/ide-mod.o
/mnt/initrd/boot/lib/modules
cp /your/linux/kernel/source/tree/drivers/ide/ide-disk.o
/mnt/initrd/boot/lib/modules
cp /your/linux/kernel/source/tree/drivers/ide/ide-mod-probe.o
/mnt/initrd/boot/lib/modules
g) umount /mnt/initrd
h) gzip -S .lrp -n initrd
i) modify syslinux.cfg and change device in boot= and PKGPATH= to hda1
(or whatever your ide boot device will be; hda1 is the first
partition on the master drive on the primary controller)
8) Make modifications to files in etc.lrp to support login console on serial
terminal
a) cd ~/scratch; tar xzvf /mnt/cf/etc.lrp
b) modify etc/inittab; comment out gettys on tty1 and tty2 (unless you
also have a monitor; I didn't so leaving them in made annoying
messages every five minutes or so)
c) uncomment getty on ttyS1, change this to the device name of your
serial device that you want to use as a console (mine was ttyS0)
d) edit etc/securetty to add the serial device above so that root can
log into it
e) tar czvf /mnt/cf/etc.lrp etc var
9) Make the modifications to syslinux.cfg to support boot messages on serial
console and ide boot device
a) add the following line
append console=ttyS0,19200
SYSTEM SHOULD NOW BOOT, SHOWING MESSAGES ON SERIAL CONSOLE! TEST THIS BEFORE
CONTINUING.
When you first login to Bering as root, you will not be prompted for a
password. You will then see the lrcfg menu. Generally, the first steps
involve leaving this menu screen by pressing "q", then issuing commands on the
linux command line. To return to the lrcfg menu (for instance to back up
packages that you have modified), just type use the lrcfg command. It will be
like you never left!
The following step is optional, but recommended, just in case. The default
size of the / tmpfs (the root filesystem that Bering uses while it is running)
is a little small. Especially if you decide to add ssh and its utilities like
I did for development. It is not stricly necessary for what we are doing here,
but if you do something that fills up the root filesystem, then backup a
package that was not put on the tmpfs correctly because the filesystem was
full, then you will lose that package. I lost initrd.lrp a couple of times,
then decided that I had the couple of extra megs to spare to make sure it
didn't happen again. I haven't had any problems on a 64 MB box (yet).
10) Change the root tmpfs size to 8 MB (from 6 MB)
a) boot Bering from compact flash
b) edit /linuxrc; change value of SYSTSIZE variable to 8M (default 6M)
c) backup initrd package to compact flash using lrcfg
Next you must add your network device drivers. This is basically the same
process as doing it on the floppy distibution, but you _must_ (at least for the
natsemi.o drivers) copy the network drivers from the kernel source you just
compiled yourself! Otherwise, you will get weird, undesirable errors that will
make you bug the people on both the leaf-user and soekris-tech lists, and I
would be responsible for it ;-)
11) Copy network drivers to the compact flash card and backup modules.lrp
(example: natsemi.o)
a) on linux workstation: mount -t msdos /dev/hde1 /mnt/cf
b) mkdir -p /mnt/cf/lib/modules
c) cp /your/linux/kernel/source/tree/drivers/net/natsemi.o
/mnt/cf/lib/modules
d) boot Bering from compact flash
e) mount -t msdos /dev/hda1 /mnt
f) cp /mnt/lib/modules/natsemi.o /lib/modules
g) edit /etc/modules; uncomment natsemi line
h) backup modules package to compact flash using lrcfg
i) rm /mnt/lib/modules/natsemi.o (it is no longer needed)
You must really verify network operation before continuing. Those who do not
are bound to lose some hair in the next few steps from scratching their heads
trying to figure out why ping won't work. Also, I recommend removing the
shorwall package (or renaming it temporarily while you mess with ipsec). There
are some extra steps if you do, but what you save in sanity is worth a few
extra keystrokes. After removing the shorwall package, if you need to test
routing functionality, you will have to turn on ip forwarding yourself with the
following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now you should be able to route freely. If you need to do more than plain ip
forwarding to test network functionality, go ahead and keep the shorwall
package where it is, but don't say I didn't warn you.
SECTION 2 - ADDING IPSEC SUPPORT
12) Add the ipsec packages to the compact flash card
a) copy the following dachstein packages to /mnt/cf
ipsec.lrp
ipsec509.lrp
certools.tgz
ifconfig.lrp
mawk.lrp
b) repeat steps 1, 3 and 4 with a dachstein floppy image, substituting
the /path/to/dachstein/packages for /mnt/cf
c) steal netstat binary from dachstein root.lrp (I haven't investigated
why I did this, but it stopped a boot error message later, so you
might as well do it now)
i) tar xzvf /path/to/dachstein/packages/root.lrp bin/netstat
ii) cd ~/scratch; tar xzvf /mnt/cf/root.lrp
iii) cp /path/to/dachstein/packages/bin/netstat bin/
iv) tar czvf /mnt/cf/root.lrp *
13) Compile your kernel again to get FreeS/WAN IPSec support with x.509
certificates (I used version 1.96 of FreeS/WAN and 0.9.9 of the x.509
patches). Incidentally, to make your life easier, you might want to make
sure your kernel source tree resides in /usr/src/linux or that there is a
symbolic link from there to wherever you have put it, since FreeS/WAN
_really_ likes it to be there. If you don't have a desire to use x.509
certificates, just skip steps "d", "e" and "f"
a) get freeswan tarball from ftp://ftp.xs4all.nl/pub/crypto/freeswan
b) get x.509 freeswan patch from http://www.strongsec.com/freeswan
c) tar xzvf freeswan-1.96.tar.gz
d) tar xzvf x509patch-0.9.9-freeswan-1.96.tar.gz
e) cp x509patch-0.9.9-freeswan-1.96/freeswan.diff freeswan-1.96/
f) cd freeswan-1.96; patch -p1 < freeswan.diff
g) compile against kernel above using make oldgo
h) cd /path/to/linux/source/tree/; cp arch/i386/boot/bzImage /mnt/cf/linux
i) cp net/ipsec/ipsec.o /mnt/cf/lib/modules
You should, at this point, replicate the copies you made in steps 6 and
11, to make sure that your modules are in sync with your kernel. You
do want to keep your hair, now don't you?
j) boot Bering from compact flash
k) mount -t msdos /dev/hda1 /mnt
l) cp /mnt/lib/modules/* /lib/modules
m) backup modules package to compact flash using lrcfg
n) rm /mnt/lib/modules/*
14) Configure FreeS/WAN to negotiate encrypted connections with Win2000 clients
using preshared keys
a) modify /etc/ipsec.secrets to add the following line
%any <router ip address>: PSK "<your preshared key>"
b) modify /etc/ipsec.conf to contain something resembling the following
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
authby=secret
left=<router ip address>
leftsubnet=<internal subnet>
pfs=yes
auto=add
conn w2k-road-warriors
right=%any
SECTION 3 - WINDOWS 2000 IPSEC CONFIGURATION
Configuring Windows to do this same thing is much harder. I would say that
until you have done it properly once, it borders on black magic. Even if you
have done it properly once, if the configuration is even slightly different and
you didn't take the time to really understand it the first time, you are in for
another rough ride. The way your mouse finger feels after clicking your way
through the dialogs for this configuration is just another symbol of how most
complicated things are easier and more user friendly in Linux.
It helps to have a custom "management console" when you're dealing with ipsec.
You can put this on the desktop or someplace else convenient, and save your
mouse finger from exhaustion clicking through menus to find things. Use the
following steps:
Start - Run - mmc
Console - Add/Remove Snap-in
Add - Certificates
Add - Computer Account - Local Computer - Finish
Add - IP Security Policy Management
Add - Local Computer - Finish - Close - OK
Console - Save - <wherever you want to put it>
You can just double click on the icon this creates to open the custom console
from now on.
In order to configure Windows 2000, there are several basic entities that you
must understand. It is easy to get lost in all the clicky-clicky:
IP Security Rules - the highest level of granularity.
IP Security Rules are composed of:
an IP Filter List - which packets match the rule? An
IP Filter list is composed of:
Filters - traditional ip address, subnet mask,
protocol or port filtering, like
ipchains
a Filter Action - what do we want to do with those
packets? Encrypt? Sign? A Filter
Action is composed of:
Security Methods - Different negotiable combinations of
signing and encrypting. FreeS/WAN
works in ESP mode with 3DES
encryption and MD5 signing. This is
a custom setting in Windows.
Authentication Methods - how do we authenticate the players?
Windows can do Kerberos, x.509
certificates from a CA (that can be
you!) or preshared keys
a Tunnel Setting - is this a tunnel? what is the
endpoint IP Address?
a Connection Type - does this IP Security Rule apply to
all network connections, or just lan
or dialup connections?
Also, for Windows 2000, you must have the Service Pack 2. It will not do the
required 3DES encryption without it. You can get it from:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp
I think you can make FreeS/WAN do DES, maybe by setting some compile-time
options, but it didn't seem worth figuring that out since DES is inscure by
itself.
Pretty hairy. For what I wanted to do (tunnel mode ESP with MD5 signing and
preshared key authentication) I had to set up two rules, one for inbound
traffic specifying the Windows client IP address as the endpoint of the tunnel,
and one for outbound traffic specifying the router as the endpoint of the
tunnel. I did not want to have to know the IP address of the client, since I
want to use DHCP to deliver these addresses, but I haven't worked a way around
it yet. Maybe if some Windows people are reading this they can drop a line...
15) Configure the Windows 2000 client
a) run the custom mmc console you just made
b) click on ipsec security policies in left pane
c) action - create IP security policy
d) next, choose name (Win2k to FreeS/WAN), uncheck default response
rule, check edit properties, finish
e) add IP security rule to grab outbound traffic and tunnel it to
FreeS/WAN using 3DES and MD5
f) next, enter tunnel endpoint (<router IP Address>), lan connection,
preshared key(<your preshared key>)
g) add both ip filter lists for inbound and outbound traffic, then you
can just click on inbound traffic when you're defining that security
rule
h) add ip filter list, name: "outbound traffic", add filter
i) next, src: my ip address, dest: any ip address, any proto, finish
note: My setup is made to tunnel ALL ip traffic through my
router. If you are just tunneling traffic to one subnet, you
should speify that here with the network address and subnet
mask
j) add another filter list, name "inbound traffic", add filter
k) next, src: any ip address, dest: my ip address, any proto, finish, close
note: see note above
l) select the "outbound traffic" filter list, next
m) add filter action to encrypt and authenticate with freeswan (3DES and MD5)
n) next, name "freeswan compatible", negotiate, do not communicate
non-ipsec, custom (ESP, MD5, 3DES), edit properties, finish
o) uncheck allow unsecured but always respond..., check perfect forward
security, OK
p) select the "freeswan compatible" filter action
q) uncheck edit properties, finish
The next one is easier, because you have already defined the filter
lists and filter action during the previous wizards, so you can just
select them to apply them to the inbound traffic IP Security Rule.
I'll go through this quickly, but just hit next or okay if I've skipped
a step.
r) add another IP security rule
s) next, tunnel endpoint (<client IP Address>) lan connection,
preshared key (<your preshared key>), inbound traffic, freeswan
compatible, finish
t) general tab, advanced, check master key perfect forward security,
close, close
You should be done. Right click the "Win2k to FreeS/WAN" IP Security
Policy and click assign in the context menu. Bring up a DOS window.
Ping your router. If everything is correct, you will get "Negotiating
IP Security." as the response to the first four pings, then should be
pinging clear after that.
If not, double click on the "Win2k to FreeS/WAN" IP Security Policy to
reenter configuration dialogs. You will see the two IP Security Rules
you just created. Double click on one of them to check the
configuration.
You will see five tabs at the top of the dialog corresponding to the
items described at the beginning of this section. First check the
"outbound traffic" filter list, then the "inbound traffic" filter list.
Double click on them to enter the configuration dialog, then double
click the Filter. Do they have the right source and destination
addresses? Remember, this will match packets similar to the way
ipchains rules do, so if the rule doesn't match properly, then you
will not "forward" the packet to the Filter Action, and it will not get
encrypted properly.
If the Filter Lists are both okay, move on to the Filter Action. We
have the same Filter Action for both IP Security Rules, so we just have
to make sure that it says to negotiate security with ESP, 3DES and MD5.
We should also ensure again that "Accept unsecured communication..."
and "Allow unsecured communication..." are unchecked, 'cause those are
not going to accomplish what we are trying to get, and that "Session
key Perfect Forward Secrecy" is checked.
Check the Authentication Method to make sure that the shared key is
exactly the same as the ipsec.conf file and that there is not a
carriage return at the end.
Check the tunnel setting and make sure that the tunnel endpoint is the
router ip address for the "outbound traffic" Filter List and the ip
address of the Windows 2000 Client for the "inbound traffic" list.
The Connection Type should be LAN only. We don't want to inadvertently
try to encrypt our dialup sessions, do we?
If any of these things was wrong, you will have to restart the IPSEC
Policy Agent service by clicking Start - Control Panel - Services,
right clicking on the service and clicking Restart.
SECTION 4 - TURNING BERING INTO A CERTIFICATE AUTHORITY (BROKEN)
Using x.509 certificates - this doesn't quite work yet. I will get this
document up to date when it works.
The outcome of this whole process:
root certificate authority certificate in /etc/ipsec.d/cacerts/RootCA.der
root CA certificate revocation list in /etc/ipsec.d/crls/crl.pem
binary gateway certificate in /etc/x509cert.der ?
ascii private key for gateway in /etc/ipsec.secrets ?
ascii gateway certificate in /etc/ipsec.d ?
ascii private key for gateway in /etc/ipsec.d/private ?
But we must start at the beginning, which is getting openssl onto your system.
I did this by doing "apt-get install openssl" on Debian Woody and then waiting
for it to install properly, but if you use Red Hat or one of the other
distibutions out there, use your way instead. I recommend going with the
package way whenever possible. You will have to adjust the paths below to
correspond to where your distibution puts things.
If you have to install from source, so be it, but there are other better
documents for you to learn that from. Try
http://www.bayour.com/LDAPv3-HOWTO.html#3.1.OpenSSL|outline. If that doesn't
work, search for "openssl howto" on www.yahoo.com and see where life takes you.
We want our certificates to be longer than the default 1024 bits, and we want
them to last longer than the default 365 days, so we go into the
/etc/ssl/openssl.conf file and change default_bits to 2048 and default_days to
3650. Do all of the rest of the operations in your ~scrathc directory.
1) Create a new Trusted Root CA on your compact flash
a) generate root certificate
i) /usr/lib/ssl/misc/CA.sh -newca (choose a good passphrase)
ii) openssl x509 -in demoCA/cacert.pem -outform der -out \
/mnt/cf/etc/ipsec.d/cacerts/RootCA.der
b) generate a certificate revocation list
openssl ca -gencrl -out /mnt/cf/etc/ipsec.d/crls/crl.pem
2) Create and sign a new certificate for your router on your compact flash
a) generate certificate request
/usr/lib/ssl/misc/CA.sh -newreq
b) sign it with the root certificate
/usr/lib/ssl/misc/CA.sh -sign
(when prompted, enter the password of the root certificate)
c) extract the private part of the signed certificate
fswcert -k newreq.pem >> /mnt/cf/etc/ipsec.secrets
d) install the binary form of the certificate
openssl x509 -in newcert.pem -outform der -out /mnt/cf/etc/x509cert.der
e) move newcert.pem and newreq.pem out of the way
i) mkdir gateway
ii) mv newcert.pem newreq.pem gateway/
3) Configure FreeS/WAN to respond to client properly
a) /etc/ipsec.secrets
remove old PSK line ???
b) /etc/ipsec.conf
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=192.168.3.1
leftsubnet=0.0.0.0/0
leftid="/C=US/ST=California/L=Orange/O=Chad's IPSec \
Firewall/CN=Chad [EMAIL PROTECTED]"
pfs=yes
auto=add
conn w2k-road-warriors
right=%any
c) restart ipsec
/etc/init.d/ipsec restart
4) Create and sign a new certificate for the Windows 2000 client
a) generate certificate request
/usr/lib/ssl/misc/CA.sh -newreq
b) sign it with the root certificate
/usr/lib/ssl/misc/CA.sh -sign
(when prompted, enter the password of the root certificate)
c) create pkcs#12 certificate for export to Windows 2000 client (including
RootCA certificate)
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
demoCA/cacert.pem -out w2kclient.p12
d) use MMC to import this certificate in the Windows 2000 client
e) apply certificate to IPSec Security Policy on both IP Security Rules (in
place of preshared key)
f) restart IPSec Policy Agent service.
5) Pingy, pingy.
--- NEW FILE: ipsec_conf.txt ---
IPSec Configuration instructions for Win2K to Bering/Dachstein FreeS/WAN
1) download and install win2k service pack 2 (you MUST have this to get Triple
DES encryption; FreeS/WAN will apparently not negotiate Single DES).
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp
2) configure win2k client as follows:
a) load ipsec admin applet - add new
Security Policy - control panel - administrative tools - local security policy
b) click on ipsec security policies in left pane
c) action - create IP security policy
d) next, choose name (Win2k to FreeS/WAN), uncheck default response rule, check
edit properties, finish
e) add IP security rule
f) next, tunnel endpoint (192.168.3.1), lan connection, preshared
key(unsecure)
g) add both ip filter lists for inbound and outbound traffic
h) add ip filter list, name: "outbound traffic", add filter
i) next, src: my ip address, dest: any ip address, any proto, finish
i) add another filter list, name "inbound traffic", add filter
j) next, src: any ip address, dest: my ip address, any proto, finish
k) select the outbound traffic filter list
l) add filter action to encrypt and authenticate with freeswan
m) next, name "freeswan compatible", negotiate, do not communicate non-ipsec,
custom (MD5, 3DES), edit properties
n) uncheck allow unsecured but always respond..., check perfect forward
security
o) select the freeswan compatible filter action
p) uncheck edit properties, finish
q) add another IP security rule
r) next, tunnel endpoint (192.168.3.10), lan connection, preshared key
(unsecure), inbound traffic, freeswan compatible, finish
s) general tab, advanced, check master key perfect forward security
t) you are ipsec-ing on win2k
3) configure FreeS/WAN to respond to client properly
a) ipsec.secrets
%any 192.168.3.1: PSK "unsecure"
b) ipsec.conf
config setup
interfaces="ipsec0=eth0"
conn win2k
left=192.168.3.1
leftsubnet=0.0.0.0/0
right=%any
authby=secret
pfs=yes
auto=add
4) ping from 192.168.3.10 to 192.168.3.1, second ping should succeed
Using x.509 certificates
1) create new Trusted RootCA on wlanfw
a) generate root certificate
--- NEW FILE: net4501_cf.txt ---
Installing Bering LEAF on compact flash for the Soekris net4501 router platform
1) download floppy image and mount using
mount -t msdos bering-1680-b4.bin /mnt/image -o loop
2) make msdos filesystem on compact flash
mkdosfs /dev/hde1
3) mount compact flash
mount -t msdos /dev/hde1 /mnt/cf
4) copy all files from floppy image to mounted compact flash
5) delete unneeded files and remove references from syslinux.cfg ("LRP=" line)
keyboard.lrp - not needed for english keyboards
ppp.lrp, pppoe.lrp - not needed for ethernet router
bridge.lrp - not needed for ethernet router
pump.lrp - not needed for static addressed router
syslinux.dpy - not needed for serial boot
6) copy ide disk modules to initrd.lrp
a) gunzip -S .lrp initrd.lrp
b) mount -t minix initrd /mnt/initrd -o loop
c) edit boot/etc/modules to load the following modules:
ide-mod
ide-disk
ide-probe-mod
d) download the modules from leaf.sf.net/devel/jnilo/bering/latest/
e) copy to boot/lib/modules
f) umount /mnt/initrd
g) gzip -S .lrp -n initrd
7) compile kernel with serial support (serial console requires non-modular)
a) get config file from leaf.sf.net/devel/jnilo/bering/latest/
b) make menuconfig; change serial support from M to *
c) make bzImage modules
d) cp arch/i386/boot/bzImage /mnt/cf/linux
8) make modifications to etc.lrp to support console on serial terminal
a) cd /scratch; tar xzvf /mnt/cf/etc.lrp
b) modify etc/inittab; comment out gettys on tty1 and tty2
c) uncomment getty on ttyS0
d) copy terminfo dir from dachstein (for vim) *
e) edit etc/securetty to add ttyS0
f) tar czvf /mnt/cf/etc.lrp etc var
9) make modifications to syslinux.cfg to support serial console
a) change device in boot= and PKGPATH= to hda1
b) add the following line
append console=ttyS0,19200
c) remove "display syslinux.dpy" if you removed the file above
d) remove modules from lrp line that were removed above
SYSTEM SHOULD NOW BOOT, SHOWING MESSAGES ON SERIAL CONSOLE!
10) change root ramdisk to 8 megs (from 6 megs) before continuing
a) boot bering
b) edit /linuxrc; change value of SYSTSIZE variable to 8M (default 6M)
c) backup initrd package to compact flash
11) add bash, lncurses, lrdline2, vim packages from dachstein; add relevant
items to syslinux.cfg file
12) add network driver (natsemi.o)
a) copy natsemi.o module from leaf.sf.net/devel/jnilo/bering/latest to
/mnt/cf/lib/modules
b) boot onto compact flash
c) mount -t msdos /dev/hda1 /mnt
d) cp /mnt/lib/modules/natsemi.o /lib/modules
e) edit /etc/modules; uncomment natsemi line
f) backup modules package to compact flash
g) rm /mnt/lib/modules/natsemi.o
13) set editor to vim
a) modify /bin/edit as follows:
#!/bin/sh
. /etc/profile
EDITOR=${EDITOR:=/bin/e3}
eval $EDITOR "$@"
b) add line to /etc/profile
export EDITOR=vi
c) backup root and etc packages to compact flash
14) add ipsec support
a) copy the following dachstein packages to /mnt/cf
ipsec.lrp
ipsec509.lrp
certools.tgx (change name to .lrp)
ifconfig.lrp
mawk.lrp
b) steal netstat binary from dachstein root.lrp
i) tar xzvf /dachstein/root.lrp bin/netstat
ii) cd /scratch; tar xzvf /mnt/cf/root.lrp
iii) cp /dachstein/bin/netstat /scratch/bin/
iv) tar czvf /mnt/cf/root.lrp *
c) get freeswan tarball from ftp://ftp.xs4all.nl/pub/crypto/freeswan
d) get x.509 freeswan patch from http://www.strongsec.com/freeswan
e) tar xzvf freeswan-<version>.tar.gz
f) tar xzvf x509patch-<version>-freeswan-<version>.tar.gz
g) cp x509patch-<version>-freeswan-<version>/freeswan.diff freeswan-<version>/
h) cd freeswan-<version>; patch -p1 < freeswan.diff
i) compile against kernel above using make oldgo
# j) strip pluto/pluto; strip pluto/whack
# k) tar xzvf /mnt/cf/ipsec509.lrp -C /scratch
# l) cp pluto/pluto pluto/whack utils/auto /scratch/usr/local/lib/ipsec
# m) cd /scratch; tar czvf /mnt/cf/ipsec509.lrp *
n) cd /usr/src/linux/; cp arch/i386/boot/bzImage /mnt/cf/linux
o) cp net/ipsec/ipsec.o /mnt/cf/lib/modules
p) boot onto compact flash
q) mount -t msdos /dev/hda1 /mnt
r) cp /mnt/lib/modules/ipsec.o /lib/modules
s) backup modules package to compact flash
t) rm /mnt/lib/modules/ipsec.o
now I know my ABCs...
15)
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Leaf-cvs-commits mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-cvs-commits
