-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2011 09:03 AM, Michael Rash wrote: > On Sep 01, 2011, Ele Asurareo wrote: > > Hello fwknop list, > >> Hello Ele,
Thanks for the reply Michael, > > I'm a new user of fwknop with GPG authentication on Debian. I first > heard about it during Michael's presentation at The Last HOPE and kept > the idea in the reptile brain for the right time. > > I've put together a Xen virtual hosting environment based on the > packages in Debian Stable (Squeeze). It works great! Except for one > mysterious problem. > > I'm connecting to the host OS, which is supported by an ethernet bridge > (xenbr1) between the physical interface (eth1) and the domU virtual > interfaces (vif1.n). xenbr1 is assigned an IP address. fwknopd listens > on xenbr1 in pcap mode. > > I configured fwknopd successfully and sent a successful SPA packet to > the IP of xenbr1. The firewall rule was added to allow access and I > could SSH properly as expected. I went home and tried to connect from > there, which was successful. Two days have passed and I've verified the > server hasn't been rebooted nor has anyone else used SPA to connect to > the SSH port. Strangely, I can no longer get the SPA packet to open the > SSH port. I've confirmed this with nmap. Despite authenticating as > before, I cannot connect. > > I have a few hypothesis I will test tomorrow when I'm in front of a > local console but I would appreciate any special advice to operate > fwknopd reliably on a Linux ethernet bridge. > >> Are you running the perl version or the more updated C version? In >> virtual environments I've sometimes seen odd behavior with sniffers not >> seeing the expected traffic, but I don't really have specifics. I think >> it would be a good idea to see if fwknopd is seeing the traffic at all. >> You could run "tcpdump -i <intf> -l -nn udp port 62201 -w 62201.pcap" and >> see if tcpdump is able to log the SPA packets too as an additional check >> to ensure that sniffers can see the traffic. I'm running the Perl version 1.9.12 packaged by the Debian maintainer for the stable distribution. I'd like to hold off on a packet dump since I get such wildly different results on my home network versus a LAN on the same CIDR block as the server in question. I swapped out some old network hardware that was known to be "sort of broken" sitting on the subnet in question. I can connect to the server from my home network as expected. I'll wait it out over the weekend and check again in a couple days. Regards. Ele > >> Another thing to check is whether the system clocks between the fwknopd >> server system and your client system are relatively in-sync. By default, >> fwknopd requires the time stamp on any incoming SPA packet to not be >> older than 120 seconds - this is required in order to prevent a certain >> type of MITM attack (as discovered by Sebastien). If you really want >> to disable this (such as if you aren't using NTP and time sync is >> otherwise difficult), then you can set ENABLE_SPA_PACKET_AGING to "N", >> but I wouldn't recommend it. > >> fwknopd does supply some log information via syslog that may be helpful >> too - usually in /var/log/messages. > >> Thanks, > >> --Mike > > > Thanks for your help, > Ele >> - ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOYaQDAAoJEAJXVNHGZu/O/WUIAIW1SfjwGnIceI58CWSRv7X8 BHfYfcz2zPkQZHRwe7Zuw79WjOOonR2YX0HBeLz0N25D0vFr5AkT/61V52X1EgqY oZLxM5u1YYyitL7kpAnlezxCZEDb247xJv+U25XtJU+dmZ02zg9Fk5XEod0/VhGe O4kgO1I5E9osBDak+PxDNTcZo0mbQujFVa29+c86x4LYxv9NOs7nq4VMwsFFjStt qU3m8GKTkUmdHA9bMRkbUir7UB4MMALqq9zar+wR0pWnGEpWG5ic0sOo4ooCx0tM V3iQTNQBfZvCkp4OK1+cUnErmk63m+RAdZYGyioUO74BYd0G8nuXQ+CLp3CVCIc= =i33l -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
