[Leaf-user] upgrading lrp box
I tried to upgrade my lrp box from the little 486DLC to my HP Pavilion which has a PII 400 mhz cpu. So I took the nic's which are 3Com 3c509b ISA bus and the Eigerstein2beta pppoe v.0.4 disk from the 486 and put them into the HP. After the system boots up I checked to see if it found the cards and it did. Eth0 =00:20:AF:40:77:E2 and Eth1=00:60:8C:E9:F3:5E which is what is printed on the nic's, and cables are plugged in correctly ( eth0 is the DSL modem and 5 port switch is on Eth1). What I did notice is that the lrp is not getting an IP address from Covad. Extern IP is blank, does not show an IP address. When I put everything back into the 486, guess what it connects up just fine. The 486 machine gets an IP address from Covad. When I had the 3Com nic's in the HP I ran the 3c5x9cfg config program to see if the cards were configured correctly. Any suggestions? Robert Chambers ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] upgrading lrp box
The two nic's that I used were from the 486. Eth0 in the HP is the same Eth0 ( with the same mac address) that was in the 486. guitarlynn wrote: On Tuesday 18 December 2001 02:27, you wrote: Any suggestions? Some ISP's map the MAC on the connected NIC. cycle the modem,have the ISP update the MAC info, or use the externel NIC out of the486 machineGuitarlynn
Re: [Leaf-user] upgrading lrp box
Sorry I forgot to mention that I did cycle the modem. guitarlynn wrote: On Tuesday 18 December 2001 02:27, you wrote: Any suggestions? Some ISP's map the MAC on the connected NIC. cycle the modem,have the ISP update the MAC info, or use the externel NIC out of the486 machineGuitarlynn
Re: [Leaf-user] VPN Architecture Options
Having read some about FreeS/WAN, I am still confused on what it takes to connect from a roaming laptop --- with a varying IP. Most of the instructions tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- and almost all doc uses non-routable IPs in the examples. Any pointers to configuring a single-address client to FreeS/WAN on LRP would be helpful. This is really simple, especially if you're using RSA keying. On the VPN Gateway, simply create a connection with the ID and RSA sig. of your roadwarrior (roaming laptop) system. Set the IP address to %any. On the roadwarrior, set interfaces=%defaultroute and [left|right]=%defaultroute (as appropriate) Make sure you enter consistent ID's for [left|right]id...I like to use 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN doesn't do a DNS lookup and turn the ID into an IP address) such as @cruzin.core.newtek.com I actually setup subnet-subnet tunnels this way, but you do it exactly the same way for a host-host or host-subnet connection. Just include or exclude the [left|right]subnet paramter(s), as required. The main thing to verify is that your id's, rsasigkey's, and connection details (ie [left|right]subnet) match on both ends. If not, you won't connect, and your logs will list something like no valid connection description for ... To make my semi-mesh network a bit easier to maintain, I have also somewhat standardized my ipsec.conf files. The local system is always 'left', with the remote end being 'right'. I create a conn %default section with all the left parameters, and have an /etc/ipsec directory with individual files for each of my VPN gateways. To create a link from the local system to the remote gateway, I simply add an include ipsec/filename to the ipsec.conf file, and the link gets created. This allows me to rsync my /etc/ipsec directory between all my remote systems as gateways are added or connection details change. There are many other (and probably better) ways to manage your VPN links...this is just what works OK for me. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN Architecture Options
This is really simple, especially if you're using RSA keying. On the VPN Gateway, simply create a connection with the ID and RSA sig. of your roadwarrior (roaming laptop) system. Set the IP address to %any. On the roadwarrior, set interfaces=%defaultroute and [left|right]=%defaultroute (as appropriate) Make sure you enter consistent ID's for [left|right]id...I like to use 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN doesn't do a DNS lookup and turn the ID into an IP address) such as @cruzin.core.newtek.com I actually setup subnet-subnet tunnels this way, but you do it exactly the same way for a host-host or host-subnet connection. Just include or exclude the [left|right]subnet paramter(s), as required. Did I understand right that you use the IDs with %any IPs for your gateway to gateway connections? I currently have 2 users with home LANs that are on dynamic IPs. Since the IPs change rarely I treat them as static, but when they change I need update the ipsec.conf file. Currently one of my configs looks like this(left is remote dynamic treated as static, right is local static): # VPN Between TSPHouse and BWI Office conn TSPhouse-BWI # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 authby=rsasig # Left security gateway, subnet behind it, next hop toward right. left=24.180.130.196 leftsubnet=192.168.1.0/24 leftnexthop=24.180.130.1 leftid=@TSPHouse leftrsasigkey=0sAQN3BOhhNkqJZB... leftfirewall=yes # Right security gateway, subnet behind it, next hop toward left. right=65.120.71.240 rightsubnet=172.30.85.0/24 rightnexthop=65.120.71.253 rightid=@BWI rightrsasigkey=0x01037792d45de... rightfirewall=yes auto=start Are you saying I could do something like this (left is remote dynamic, right is local static): # VPN Between TSPHouse and BWI Office conn TSPhouse-BWI # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 authby=rsasig # Left security gateway, subnet behind it, next hop toward right. left=%any leftsubnet=192.168.1.0/24 #leftnexthop=24.180.130.1 leftid=@TSPHouse leftrsasigkey=0sAQN3BOhhNkqJZB... leftfirewall=yes # Right security gateway, subnet behind it, next hop toward left. right=65.120.71.240 rightsubnet=172.30.85.0/24 rightnexthop=65.120.71.253 rightid=@BWI rightrsasigkey=0x01037792d45de... rightfirewall=yes auto=start That would be a great solution to my dynamic gateways. Also, do you have any experience with Windoze VPN clients? I did some testing with several and SSH Sentinel seemed to be the easiest, but an Open Source and/or free solution would be better. Thanks, Todd ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN Architecture Options
Did I understand right that you use the IDs with %any IPs for your gateway to gateway connections? I currently have 2 users with home LANs that are on dynamic IPs. Since the IPs change rarely I treat them as static, but when they change I need update the ipsec.conf file. Yes...this is possible, and how I have configured the couple of systems in our VPN mesh that have dynamic connections. Currently one of my configs looks like this(left is remote dynamic treated as static, right is local static): snip Are you saying I could do something like this (left is remote dynamic, right is local static): snip Yes. Some details of one of my configs (just the connection specifications)...works with my IPSec V1.91 package kernels. Dynamic system: ipsec.conf conn %default type=tunnel auto=start [EMAIL PROTECTED] left=%defaultroute leftsubnet=10.31.32.0/24 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103b... keylife=8h keyingtries=0 include ipsec/SanAntonio.conf SanAntonio.conf conn SanAntonio [EMAIL PROTECTED] right=207.235.86.252 rightnexthop=207.235.86.1 rightsubnet=10.28.0.0/19 rightrsasigkey=0x0103c... Static system: ipsec.conf conn %default type=tunnel auto=start [EMAIL PROTECTED] left=207.235.86.252 leftnexthop=207.235.86.254 leftsubnet=10.28.0.0/19 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103c... keylife=8h keyingtries=1 include ipsec/Aptos.conf Aptos.conf conn Aptos [EMAIL PROTECTED] right=%any rightsubnet=10.31.32.0/24 rightrsasigkey=0x0103b... Remote dynamic connections are identified initially by their ID, then authenticated using their RSA key. AFAIK, the same can be done with pre-shared secrets, but I'm not sure... NOTE: Reading over this, I should probably have auto=load instead of auto=start on the static side...it's impossible to start a connection from the static side, since the peer IP is unknown. That would be a great solution to my dynamic gateways. Also, do you have any experience with Windoze VPN clients? I did some testing with several and SSH Sentinel seemed to be the easiest, but an Open Source and/or free solution would be better. Sorry, I haven't used any windows VPN clients. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Telnet Client
Nevermind. I found a version that works on David's latest Oxygen ISO. Does anybody have a working Telnet for LEAF. I know, I know, its not secure, but I'm SSHing into my LEAF box, then I want to Telnet into another Linux box on my internal network. Yes, I will try later to forward an SSHD port to that box, but for now, how about Telnet? I tried the one in Oxygen (march 2001) packages archive. Didn't work. Looks like its actually busybox telnet, but without telnet actually linked in (?). Thanks, Sean ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] upgrading lrp box
Charles: I also tried Dachstein 1.0.2 with PPPoE from Ken and it also would not get an IP address from Covad. " starting ADSL" would come back with "timed out". I was able to connect to the weblet in both Eigerstein2beta and Dachstein and look at the firewall status, so I know that I had the cables hooked up right. Charles Steinkuehler wrote: 01d001c187dc$447d45e0$4d011c0a@csteinathlon"> I tried to upgrade my lrp box from the little 486DLC to my HP Pavilionwhich has a PII 400 mhz cpu.So I took the nic's which are 3Com 3c509b ISA bus and theEigerstein2beta pppoe v.0.4 disk from the 486 and put them into the HP. After the system boots up I checked to see if it found the cards andit did. Eth0 =00:20:AF:40:77:E2 and Eth1=00:60:8C:E9:F3:5E which iswhat is printed on the nic's, and cables are plugged in correctly ( eth0is the DSL modem and 5 port switch is on Eth1).What I did notice is that the lrp is not getting an IP address fromCovad. "Extern IP" is blank, does not show an IP address.When I put everything back into the 486, guess what it connects up justfine. The 486 machine gets an IP address from Covad. When I had the3Com nic's in the HP I ran the 3c5x9cfg config program to see if thecards were configured correctly.Any suggestions? Make sure you're using the latest dhcp client. The EigerStein disk imageshave an older script that has problems connecting to some DHCP servers undervarying circumstances. Since the problem can manifest itself in someinstances as a race condition, it could be affected by your local CPUspeed...Charles Steinkuehlerhttp://lrp.steinkuehler.nethttp://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
Re: [Leaf-user] upgrading lrp box
Good idea. I'll try it with the Netgear FA311 and one 3c509b card. Kenneth Hadley wrote: [EMAIL PROTECTED]"> Have you tried using two PCI nics or just one ISA card and one PCI card?I've run into problems with P2/P3/Athlon systems that have two ISA slots butthe first ISA slot is shared with the last PCI slot so they conflict even ifnothing is in the last PCI slot- Original Message -From: "Robert Chambers" [EMAIL PROTECTED]To: "Charles Steinkuehler" [EMAIL PROTECTED]; "leaf"[EMAIL PROTECTED]Sent: Tuesday, December 18, 2001 11:27 AMSubject: Re: [Leaf-user] upgrading lrp box Charles:I also tried Dachstein 1.0.2 with PPPoE from Ken and it also would notget an IP address from Covad." starting ADSL" would come back with "timed out". I was able toconnect to the weblet in both Eigerstein2beta and Dachstein and look atthe firewall status, so I know that I had the cables hooked up right.Charles Steinkuehler wrote: I tried to upgrade my lrp box from the little 486DLC to my HP Pavilionwhich has a PII 400 mhz cpu.So I took the nic's which are 3Com 3c509b ISA bus and theEigerstein2beta pppoe v.0.4 disk from the 486 and put them into the HP. After the system boots up I checked to see if it found the cards andit did. Eth0 =00:20:AF:40:77:E2 and Eth1=00:60:8C:E9:F3:5E which iswhat is printed on the nic's, and cables are plugged in correctly ( eth0is the DSL modem and 5 port switch is on Eth1).What I did notice is that the lrp is not getting an IP address fromCovad. "Extern IP" is blank, does not show an IP address.When I put everything back into the 486, guess what it connects up justfine. The 486 machine gets an IP address from Covad. When I had the3Com nic's in the HP I ran the 3c5x9cfg config program to see if thecards were configured correctly.Any suggestions? Make sure you're using the latest dhcp client. The EigerStein disk images have an older script that has problems connecting to some DHCP servers under varying circumstances. Since the problem can manifest itself in someinstances as a race condition, it could be affected by your local CPUspeed...Charles Steinkuehlerhttp://lrp.steinkuehler.nethttp://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
[Leaf-user] CPU loading monitor
Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? Thanks. Kevin ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] CPU loading monitor
Am Dienstag, 18. Dezember 2001 21:58 schrieb Kevin Kropf: Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? lrpStat from http://leaf.sourceforge.net/devel/hejl Read there about using the C-program lrpStat instead of stat.sh, which is used in weblet from dachstein. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] CPU loading monitor
Has anyone made an lrpStat.lrp? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of KP Kirchdörfer Sent: Tuesday, December 18, 2001 3:31 PM To: [EMAIL PROTECTED]; Leaf-User (E-mail) Subject: Re: [Leaf-user] CPU loading monitor Am Dienstag, 18. Dezember 2001 21:58 schrieb Kevin Kropf: Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? lrpStat from http://leaf.sourceforge.net/devel/hejl Read there about using the C-program lrpStat instead of stat.sh, which is used in weblet from dachstein. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Dachstein CD v1.0.2 w/PPPoE
Unfourtunatly at this time I know of no work around and I believe Charles Steinkuehler (DachStein's creator) is looking for ways to integrate PPPoE into the network scripts wich would take of this problem, unfourtunatly firwall scripts are out of my leauge in terms of understanding. - Original Message - From: David B. Cook [EMAIL PROTECTED] To: Kenneth Hadley [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 7:38 PM Subject: Dachstein CD v1.0.2 w/PPPoE Kenneth, I'm new to pppoe and am using your implementation on a Dachstein CD v.0.2. I notice from my provider (Bell Sympatico) that they appear to change my IP frequently. The logs appear to be telling me that it was renegotiated twice within 24 hours the other day. Outbound MASQ traffic appears to be OK, but port forwards get lost. I am probably not the first person to have found this. Am I looking for something that is already there or should there be an /etc/init.d/network restart in the /etc/ppp/ip-up.d or something similar? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] CPU loading monitor
I get the following error: # top top: error in loading shared libraries libncurses.so.4: cannot open shared object file: No such file or directory Help... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth Hadley Sent: Tuesday, December 18, 2001 8:49 PM To: [LEAF-user] Subject: Re: [Leaf-user] CPU loading monitor Not that im aware of, though I do know that I a have a top (which can watch CPU usage among other things) package on my site under the packages section ( http://leaf.sourceforge.net/devel/khadley/ ) and yes, I am doing shameless advertising ;-) -Kenneth Hadley - Original Message - From: Kevin Kropf [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Leaf-User (E-mail) [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 5:32 PM Subject: RE: [Leaf-user] CPU loading monitor Has anyone made an lrpStat.lrp? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of KP Kirchdörfer Sent: Tuesday, December 18, 2001 3:31 PM To: [EMAIL PROTECTED]; Leaf-User (E-mail) Subject: Re: [Leaf-user] CPU loading monitor Am Dienstag, 18. Dezember 2001 21:58 schrieb Kevin Kropf: Is anyone aware of a CPU monitor for LRP that I could use to see what my box is doing? lrpStat from http://leaf.sourceforge.net/devel/hejl Read there about using the C-program lrpStat instead of stat.sh, which is used in weblet from dachstein. kp ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Puzzled about Port Forwarding
There seems to be so many different ways of doing port forwarding, I confess to being totally stumped. I am running an E2B firewall which has been working quite nicely for several months now. I am now adding a new machine behind the firewall and need to open a few ports. The only option I seem to have available is either ipmasqadm autofw or ipmasqadm portfw. I have tried using ipmasqadm portfw -a -P tcp -L InternetIP port -R ServerIP port which didn't give any errors yet when I do a ipmasqadm portfw -l I get... Could not open /proc/net/ip_masq/portfw Could not open /proc/net/ip_portfw Check if you have enabled portforwarding # Neither of the two portfw files exist nor do I seem to be able to creat them. I have also tried ipfwadm -F -i accept -P udp -S InternetIP -D ServerIP 2074 which gives me the error ipfwadm: setsockopt failed: Invalid argument. I think I have port forwarding enabled; at least I have these two entries in my network.conf; IPFWDING_KERNEL=YES IPFWDING_FW=YES Can someone clue me into what I am doing wrong? Thanks -Rob- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Puzzled about Port Forwarding
Rob Dover wrote: There seems to be so many different ways of doing port forwarding, I confess to being totally stumped. I am running an E2B firewall which has been working quite nicely for several months now. I am now adding a new machine behind the firewall and need to open a few ports. The only option I seem to have available is either ipmasqadm autofw or ipmasqadm portfw. I have tried using ipmasqadm portfw -a -P tcp -L InternetIP port -R ServerIP port which didn't give any errors yet when I do a ipmasqadm portfw -l I get... Could not open /proc/net/ip_masq/portfw Could not open /proc/net/ip_portfw Check if you have enabled portforwarding # Neither of the two portfw files exist nor do I seem to be able to creat them. I have also tried ipfwadm -F -i accept -P udp -S InternetIP -D ServerIP 2074 which gives me the error ipfwadm: setsockopt failed: Invalid argument. I think I have port forwarding enabled; at least I have these two entries in my network.conf; IPFWDING_KERNEL=YES IPFWDING_FW=YES Can someone clue me into what I am doing wrong? Thanks It might be helpful if you give some more particulars about what you are trying to forward and where. There are values in /etc/network.conf that, if configured, open the firewall and forward to internal machines. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance
Good evening, folks! I have a new customer with two (soon to be four) offices; and when I got there their Internet access on both ends (Cherry Hill NJ Manila) was a DSL mess. In fact, it's so bad they send 1 to 2 DVD's per day via DHL to Manila. I'm finalizing the design costing for the MAN links to the ISP's, using either multiple T-1 frame relay links or fractional DS-3, in order to get sustained throughputs of 3 to 6 megabits. I'm in need of some advice on the OS software for the two to four appliances I'll be building for them. I started out on Charles Steinkuehler's site, as well as the linked article at: http://www.linuxjournal.com/article.php?sid=4772; but it doesn't quite cut the cheese for what I need. Here's my preliminary list of design goals: * No moving parts: Loading from a floppy or CD is a no-no; and if I can avoid a hard drive I'll be quite pleased. Having worked extensively with Apple DEC RISC machines, I know a floppy is a worthless POS; * Since the price of Compact Flash cards is dirt cheap, and since they conform to the IDE standard, I'm thinking of using these. This way, I can easily deploy upgrades by mailing out replacement cards... No big shake, as Pee Wee would say; * The throughput (encryption rate) needs to be plenty, with room for expansion. Fortunately, hardware is cheap, so a 1.4 gHz Athlon package is no problem whatsoever; * I was going to purchase Intel 31xx VPN appliances http://www.intel.com/network/idc/products/vpn_gateway.htm, until I saw the prices. Oh, and they just EOL'd these boxes, instead giving the reference design to H-P; * Along the NIC lines, how well do the Pro/100 S (i82550-based) http://www.intel.com/network/connectivity/products/server_adapters.htm adapters work with LEAF? This looks like a nice way to gain throughput .IF. there are linix drivers. Thanks in advance for any tips! Cheers! Dan Schwartz Cherry Hill, NJ When the chips are down, the buffalo is empty... -- ___ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJurl=http://www.getpennytalk.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user