[Leaf-user] Compiling modules for Bering
Hi all, I have a Bewan ADSL PCI card arriving in the next few days, and in preparation, I want to get its driver compiled for Bering (I'm pretty sure it doesn't already exist in the modules list). Is someone happy to do that, or could someone point me in the right direction for compiling it - is it as simple as just compiling it in a 2.4.18 tree, or are there glib type issues etc that I have to watch out for. Many thanks Dave ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Bering v1.0-rc2 available
This new release includes, among other things, ipsec and pptp support. Also updated with latest 1.2.12 Shorewall and iptables 1.2.6a The documentation has been considerably extended Thanks to all the folks who helped us on this release ! The details are here: http://leaf.sourceforge.net/article.php?sid=37 Jacques Eric http://leaf.sourceforge.net/devel/jnilo ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dynamic VPN Gatewy..... Almost
Hello, I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). I am using shared secrets. I will at one point want to try the RSA encryption but I have experience with shared secrets and figured to start there and then go to RSA. In my previous experience with Free/SWAN (v. 1.34 I believe) I would specify 0.0.0.0 for anyone in the ipsec.secrets file on the static gateway and 127.0.0.1 for local IP on the dynamic gateway. I have not seen this instructed at all for the v1.91 with which I am working. What should the ipsec.secrets file be for the static and dynamic gateways. I currently have this for both: 216.29.35.154 0.0.0.0:PSK secretgoeshere If you like I will provide the files. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
I have had similar problems. Love to know what ipsec version you are using. It seems that using 0.0.0.0 as an identifier in ipsec.secrets is key but I haven't got dynamic to work yet. [EMAIL PROTECTED] on 04/25/2002 08:28:33 AM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [Leaf-user] Dynamic VPN Gatewy. Almost Hello, I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, One other thing. The /var/log/auth.log is from the dynamic gateway as this is the one starting the tunnel. I must not be specifing for IPsec to use the local IP the right way in ipsec.secrets. In ipsec.conf you use %defaultroute. What about in ipsec.secrets? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Phillip Version 1.91 I think I may scrap using the PSK and go to RSA. As Charles pointed out, RSA does not use IPs as identifiers but rather uses the keys. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
From: MLU [EMAIL PROTECTED] I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use an alternate firewall for some reason, you may find a series configuration might work better than trying to parallel the VPN gateway and your existing firewall, ie: internet | firewall | VPN Gateway | internal network Rather than: internet | +--\ | | firewall VPN Gateway | | +--/ | internal network If your firewall is fancy enough, you may also be able to setup something like: internet | firewall --- VPN Gateway | internal network Where you add a static route to the firewall (forwarding internal network - VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route inbound IPSec traffic to the VPN gateway box, as well. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
Below are my routes on both left and right sides. Charles, if you can confirm them correct, I think there must be some rule on my left-side denying packets destined for 192.168.1 even reach left-side eth0. I accidentally found this in one old log: Apr 23 19:14:06 router kernel: Packet log: input DENY eth0 PROTO=1 192.168.1.2:3 24.83.28.213:3 L=56 S=0x00 I=36609 F=0x T=109 (#10) But I must say that I do not know if ipsec was run at that time And the rule 10 in input chain is: 10 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/ On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 router: -root- # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.3.0 *255.255.255.0 U 0 0 0 eth3 192.168.2.0 *255.255.255.0 U 0 0 0 eth2 192.168.1.0 24.83.28.1 255.255.255.0 UG0 0 0 ipsec0 192.168.9.0 *255.255.255.0 U 0 0 0 eth1 24.83.28.0 *255.255.252.0 U 0 0 0 eth0 24.83.28.0 *255.255.252.0 U 0 0 0 ipsec0 default 24.83.28.1 0.0.0.0 UG0 0 0 eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 router: -root- # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.2.0 *255.255.255.0 U 0 0 0 eth2 192.168.1.0 *255.255.255.0 U 0 0 0 eth1 192.168.9.0 24.76.92.1 255.255.255.0 UG0 0 0 ipsec0 24.76.92.0 *255.255.252.0 U 0 0 0 eth0 24.76.92.0 *255.255.252.0 U 0 0 0 ipsec0 default 24.76.92.1 0.0.0.0 UG0 0 0 eth0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Thursday, April 25, 2002 7:46 AM To: Jonathan French Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help From: MLU [EMAIL PROTECTED] I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use
Re: [Leaf-user] VPN error, please help
Below are my routes on both left and right sides. Charles, if you can confirm them correct, I think there must be some rule on my left-side denying packets destined for 192.168.1 even reach left-side eth0. I accidentally found this in one old log: Apr 23 19:14:06 router kernel: Packet log: input DENY eth0 PROTO=1 192.168.1.2:3 24.83.28.213:3 L=56 S=0x00 I=36609 F=0x T=109 (#10) But I must say that I do not know if ipsec was run at that time And the rule 10 in input chain is: 10 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/ The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested. If you want to stay with the preshared secrets, I'd suggest adding a dynamic dns daemon on the dynamic end so that you can find the gateway with ssh - you'll need to edit ipsec.secrets everytime the IP changes! Once you get your head around RSA, you'll wonder why you wasted any time with the shared secrets ;-) Brock To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Dynamic VPN Gatewy. Almost From: [EMAIL PROTECTED] Date: Thu, 25 Apr 2002 10:05:26 -0400 Charles, It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). I am using shared secrets. I will at one point want to try the RSA encryption but I have experience with shared secrets and figured to start there and then go to RSA. In my previous experience with Free/SWAN (v. 1.34 I believe) I would specify 0.0.0.0 for anyone in the ipsec.secrets file on the static gateway and 127.0.0.1 for local IP on the dynamic gateway. I have not seen this instructed at all for the v1.91 with which I am working. What should the ipsec.secrets file be for the static and dynamic gateways. I currently have this for both: 216.29.35.154 0.0.0.0:PSK secretgoeshere If you like I will provide the files. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles MLu Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. Thanks for your help, Jon From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use an alternate firewall for some reason, you may find a series configuration might work better than trying to parallel the VPN gateway and your existing firewall, ie: internet | firewall | VPN Gateway | internal network Rather than: internet | +--\ | | firewall VPN Gateway | | +--/ | internal network If your firewall is fancy enough, you may also be able to setup something like: internet | firewall --- VPN Gateway | internal network Where you add a static route to the firewall (forwarding internal network - VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route inbound IPSec traffic to the VPN gateway box, as well. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] passwd problem ???
I have to save certain configuration files separate from the .lrp files for various reasons. When I change a password: passwd I copy /etc/passwd and /etc/shadow- to a hard disk. After booting I copy those files back to ramdisk and my old passwd is back. Am I saving the wrong files? Thanx ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] passwd problem ???
I have to save certain configuration files separate from the .lrp files for various reasons. When I change a password: passwd I copy /etc/passwd and /etc/shadow- to a hard disk. After booting I copy those files back to ramdisk and my old passwd is back. Am I saving the wrong files? Maybe...passwords are in /etc/shadow, not /etc/shadow- (a backup version of /etc/shadow). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] RSA VPN w/Dynamic IP
1) Am I correct in understanding that the private key for each Gateway goes in ipsec.secrets. While the public key goes in ipsec.conf left right respectivly? You need at least one private key in ipsec.secrets (the RSA key for the local machine). You need two public RSA keys in ipsec.conf (the public portion of the key used on each end of the connection). 2) How does IPsec know the FQDM of each gateway, and do I just set it in network.conf? For example: leftid=office.company.com and rightid=home.company.com. Do I set the host name of the office machine to office and the domain as company.com in the network.conf of is there more to it than that? For the complete answer, see the FreeS/WAN documentation. The short answer from memory is that ID's on both ends need to match. To prevent any IP renumbering and/or DNS problems from breaking VPN links, I always assign non-resolved ID's to both ends. In other words: leftid=office.company.com Will use name resolution to come up with an IP address, which will be used as left ID. [EMAIL PROTECTED] Will use office.company.com as the left ID, which (in my networks at least) tends to be less prone to change than the IP address... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
On Thu, 25 Apr 2002 08:54:02 -0700 Brock Nanson [EMAIL PROTECTED] wrote: If I recall correctly, ipsec.secrets will NOT allow a catch-all entry if you are using preshared secrets. That's the reason you want to go to RSA keys if you have a dynamic end to the tunnel - they will allow this, if you set a name as Charles suggested. You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad Yes, but that would be the ipsec.secrets entry on the static side. What about the dynamic gateway? Would it be the same? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: Hi
Hi, I need a module for proxim wireless card. I try to compile my own on a RedHat 7.2 system with 2.4.18 kernel, but when loading on a Berring I got a nuber of insmod: unresolved symbol... How I can do this modul. I using a driver from Comacke. On a RedHat system all is ok. Please help me. If all is OK for berring I whill send the module and supporting software for this wireless card. Thakns with avance. Could you give the link to the network card support site ? And the one to the driver source code ? Jacques -- Profitez des 2 offres exceptionnelles Tiscali ! Internet Gratuit le Jour et Modem ADSL remboursé Cliquez ici, http://register.tiscali.fr/forfaits_ls/ Offres soumises à conditions. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: CDRom modules
First of all I'd like to send you my admiration for creating such a wonderful project. I have been running the Bering router for over a month and it is awesome. Especially, since I did not have to go out and buy a $150 router. I was able to creat a 1.722MB diskette instead in order to add sshd. That way I can have a headless router PC with no keyboard, mouse, monitor, etc... But now I want to add further modules, especially IPSec stuff. I cannot fit all that into a floppy diskette so I'll need a CDROM burned copy of Bering. I know the Stei.. version is for CDROM but I like Bering better. I tried loading cdrom.o but it does not work. I suspect the kernel does not have cdrom support compiled in. I tried compiling a new kernel with cdrom support but it returns: Kernel panic: VFS: Unable to mount root fs on 01:00. Can you guys help me out and tell me how to add CDROM support to the Bering LRP? 1/ Update to v1.0-rc2 2/ RTFM: http://leaf.sourceforge.net/devel/jnilo/bubooting.html http://leaf.sourceforge.net/devel/jnilo/bucdrom.html Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] RE: [Leaf-devel] Bering v1.0-rc2 available
We got serial support in the kernel!!! All right! Thanks Guys, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jacques Nilo Sent: Thursday, April 25, 2002 9:06 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: shorewall-users Subject: [Leaf-devel] Bering v1.0-rc2 available This new release includes, among other things, ipsec and pptp support. Also updated with latest 1.2.12 Shorewall and iptables 1.2.6a The documentation has been considerably extended Thanks to all the folks who helped us on this release ! The details are here: http://leaf.sourceforge.net/article.php?sid=37 Jacques Eric http://leaf.sourceforge.net/devel/jnilo ___ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. You *DO* have to add firewall rules to allow the packets to be forwarded, and the IPSec traffic to get in/out of the box. You should *NOT* have to directly play with any routing...the FreeS/WAN scripts should set all the routing up when the connections get built. NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry about the firewall rules either... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles, Thanks, leftfirewall=yes lets me ping a machine on the other subnet now. I think I added a few too many extra ipchains rules, but now that it is working I can back off on them. - Jon Charles Steinkuehler wrote: Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. You *DO* have to add firewall rules to allow the packets to be forwarded, and the IPSec traffic to get in/out of the box. You should *NOT* have to directly play with any routing...the FreeS/WAN scripts should set all the routing up when the connections get built. NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry about the firewall rules either... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Interrupts
I'm working on a LEAF Bering machine. It appears that it loads the 3c509 module properly, and assigns it io port addresses, but not an interrupt. cat /proc/ioports and cat /proc/interrupts. On the same machine using tomsrtbt, the nic comes up with an interrupt. PNP has been disabled and the cards configured with known address and IRQ. Both Bering and tomsrtbt come up with the expected io ports. I'm using Bering 2.4.18 #3 Mar 15. -- Sincerely, David Smead http://www.amplepower.com. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
Scott, A quick follow-up question regarding allowing protocol 47 packets though, I attempted to manually set the IPCHAINS rules just to do a quick test, and this is what I got: firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT ipchains: can only specify ports for icmp, tcp or udp Try `ipchains -h' or 'ipchains --help' for more information. I am not trying to port forward anything at this point, I want to be able to allow any machine on my home network to connect to a VPN machine at a client. So no ipmasqadm portfw. I uncommented the PPTP module and this is reflected in my log: Apr 25 10:55:35 firewall kernel: ip_masq_gre(): creating GRE masq for 192.168.1.3 - 205.158.144.234 CID=43E6 MCID=10EA Apr 25 10:55:35 firewall kernel: Packet log: input DENY eth0 PROTO=47 205.158.144.234:65535 68.49.250.48:65535 L=93 S=0x00 I=62911 F=0x T=116 (#41) snipped more of the same But clearly it is viewing protocol 47 packets as junk and denying them. What step(s) am I missing? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN behind Dachstein
On Thu, 25 Apr 2002 23:09:38 -0400 Morgan Reed [EMAIL PROTECTED] wrote: Scott, A quick follow-up question regarding allowing protocol 47 packets though, I attempted to manually set the IPCHAINS rules just to do a quick test, and this is what I got: firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p tcp -l -j ACCEPT firewall: -root- # ipchains -A input -s 0/0 -d 0/0 1723 -p 47 -j ACCEPT ipchains: can only specify ports for icmp, tcp or udp Try `ipchains -h' or 'ipchains --help' for more information. This ipchains rule should not specify port 1723. Ports are not a part of the GRE header, so they cannot be specified as targets for ipchains. The rule should read: ipchains -A input -p 47 -j ACCEPT To be absolutely minimal about it. If no source or destination address is given, the default is everything. HTH, Chad p.s. take a look at http://www.protocols.com/pbook/tcpip3-1.htm and http://www.protocols.com/pbook/tcpip.htm#TCP for more details on this. This is pretty heavy stuff if you're not used to it, but it tells you what is in the headers of the packets you are trying to filter. It is invaluable if you want to really nkow what you can do with ipchains. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
I think you are probably right. I do have forward rules to allow traffic between both my private 192.168.9 and 192.168.3. And those rules are added by myself in /etc/ipfilter.conf (based on what you did for DMZ, your DMZ is one-way, mine is 2-way). I will try to disable it asap, but my question is if I can still have traffic between my private networks and at the same time ipsec to remote private? Also I think I should use your scripts /etc/ipchains.input, /etc/ipchains.forward /etc/ipchains.output for those rules rather than inventing my own (and messing up things -:() but I cannot find them as examples. Could you help in this regard. And yes, I try to log protocol 50 and even 51 but nothing showed in my log. Again something is wrong here too. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Thursday, April 25, 2002 8:47 AM To: MLU Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Compiling modules for Bering
Aanhalen Dave Anderson [EMAIL PROTECTED]: I am by no means an expert on the matter but since noone responded I'll share my views. I have compiled my own bering kernel so I should be able to tell you a thing or two. When I compiled my own kernel I had some problems so I asked the list if it could be glibc based, I was told (I believe by jacques that kernel modules do not depend on the libc library so that this couldn't be the problem). I 'll save you the rest of my problems but this should answer your question. For the module to compile it is probably as simple as compiling it to a stock kernel. Although your original kernel probably has to be compiled with the option or hook (or whatever it is called to accept your module). Bottom line you will probably have to change your kernel too if you want to use your own compiled module. Consequence is that your kernel will have to be patched for lrp. Check Jacques Nilo's developper page on Http://leaf.sourceforge.net for the patches. Jacques or anyone else, If I am goofing please correct thanks. Kim Hi all, I have a Bewan ADSL PCI card arriving in the next few days, and in preparation, I want to get its driver compiled for Bering (I'm pretty sure it doesn't already exist in the modules list). Is someone happy to do that, or could someone point me in the right direction for compiling it - is it as simple as just compiling it in a 2.4.18 tree, or are there glib type issues etc that I have to watch out for. Many thanks Dave ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user - This mail sent through Tiscali Webmail (http://webmail.tiscali.be) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Hotmail (and others) don't work with Bering?
I have been having trouble using Hotmail since I got DSL and installed my Bering firewall, and today I realized I was having the same trouble using some of the yahoo groups pages. Many of the links will time out when loading, but if I then hit reload they will load up right away. Unfortunatly, submit buttons can't be reloaded so I can use them at all. Is this something my Bering firewall would be causing? What could I do to diagnose or fix the problem? Thanks! -Mark Ivey- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user