Re: [leaf-user] Bering vs. Bering-Uclib
I've recently tried switching from Bering 1.0 (stable) to Bering-Uclib in order to have room on my single floppy for sshd. However, it seems that my router running the Uclib version works much less well. I can't be very specific about what much less well means: the network connection feels slower, so I assume packets are getting dropped or something along those lines. Since I have the two versions on two floppies it's trivial to reboot into one or the other. And if I choose the Uclib version everybody on the LAN notices the degredation. As far as I know they're configured identically: ATT cable modem with dhcp on eth0, NATed internal net on eth1. The only difference is that the Uclib floppy has lsh.lrp on it. Has anybody else had this experience? Is it to be expected? Or is it possible I can fix it by tweaking the Uclib configuration? Thanks, --Eric House Eric, I don''t have this experience myself, but you can check drops and errors with ip -s link Regards, Eric Spakman --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Win2K and LEAF
OK Charles. I understand. As you know by now, I only really do this stuff at home. I have helped a buddy by putting a LEAF router at his office. So, not being the guru and not having a great amount of time, I will eventually read bits and pieces. I only ended up with Win2K server because my drive crapped out on Tuesday and I figured that, what the heck. It would give me the ability to keep user profiles in one location. On this scale, it really comes down to what I'm willing to live with and for how long. Right now I timed it and I spend about 1 minute 'Preparing Network Connections'. That's really not too bad. Also, since this is only my home network, I run all servers on one box. It's name is WWW but has FTP and POP3/SMTP. I thought it great to define ftp.mullan.ca, mail.mullan.ca and www.mullan.ca and have them all point to the same box but thanks to M$ that doesn't work anymore as it seems to override my TinyDNS in this respect. (a little of my ranting too :) So really, would it be better to let my M$ box handle internal DNS and let LEAF handle dnscache for internet queries? Is there a package other than TinyDNS that is dynamic and will let the M$ box register hosts? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: February 8, 2003 10:26 PM To: John Mullan Cc: Leaf-User Subject: Re: [leaf-user] Win2K and LEAF John Mullan wrote: OK. I did my research and found that Win2K Server 'Active Directory' requires and DNS server with active/dynamic record keeping. My DNS is TinyDNS on my LEAF box. TinyDNS does not register computer names (ie; mullan2 = mullan2.mullan.ca). When the Win2K box boots up, it takes 5-10 minutes to figure this out. Can anyone share with me a good way to make these two boxes co-exist peacefully? IE; Make my private TinyDNS dynamic (probably not) or to make the Win2K box forget about the DNS problem? Reinstall Win2K server without AD, or spend the time and effort to come up to speed on how M$ expects you to do networking (be prepared to buy about 3X more server licenses than you ever thought you'd need, as well as upgrade every box on your network to 2K or XP...or just live with the broken-ness Microsoft forces on you to try and get you to upgrade). It might help to through some online references as well...a google search for microsoft co-opting internet standards should turn up some good reading material. BTW: Can you tell I just had a junior network admin replace a failed NT domain controller with 2KServer (with Active Directory installed) because it has to be better than NT, and we'll have to upgrade someday anyway, right?!?. sigh ...sorry about the rant :-/ -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Wireless IPSec network ideas
Chris.. What you propose is likely do-able--- some of it fairly straightforward, other parts more complex. Trying to support a wireless client as well as a router/firewall from the same wireless interface could be troublesome. Note that we used Orinoco 802.11b adapters, which would not be suitable if you intend to configure the Bering box as a wireless bridge. For a discussion on building a point-to-point (Ad-hoc mode) wireless link with routing and IPSEC encryption on a Bering platform, you may wish to read an article that I co-authored at http://wireless.psenicka.ca Also, check out the WISP-Dist variant of Bering for details on how to do wireless bridging. As for cautionary notes and comments... 1. Be wary of the hidden - node phenomena Ad-hoc mode devices should all be visible to each other, else you will have problems. 2. Hardware selection will also be a key factor... especially if you need to implement an AP style bridge. Not all wireless NICs will work in AP mode. 3. Consider using WEP ... with or without IPSEC. It is not totally secure, but it does offer an extra layer of protection. -- original note attached below - Hi everyone, I'm posting this to all these lists because each set of readers can no doubt give excellent advice concerning areas of the project. Here goes... I decided to get off of DSL at home, lose my landline in favor of just my cell, and get my broadband via cable. My cable comes in down in the living room, but my home office is on the other end of the house, upstairs. I don't want to run either cable or ethernet all that way, but I'm a little concerned about the insecurity of wireless networks. I'm building a new Shorewall firewalled LEAF router from a shoebox-sized SBC that I ended up buying from a guy who posted here on Shorewall-Users last week. That will reside down at the cable entry-point down in the living room. My current router, an old Micron P-133 running LEAF Bering lives in my home office, and currently gets it's Internet from DSL. I'm thinking I can put a wireless NIC in both the new SBC router, and another in the Micron and use IPSec to encrypt the trasnsfer of wireless packets from the living room to the office. Also, I would like to be able to access the Internet from a laptop with a wireless card from within the house while not on the switch. I would do NAT on the SBC and simply route on the Micron. I'm experienced with LEAF, Shorewall, and FreeS/WAN, but am a wireless ethernet newbie. Has anyone out there done this type of thing, and if so is there any info/documentation/advice you can throw my way? Is it as straightforward as I think it is? Here's the obligatory ASCII art... +--+ +--+ +--+ | | | | | | various Office | | | | | | Boxen | | | | | | +--+ +--+ +--+ | | | | / / +--+/ | | --- switch +--+ | | wired NIC +--+ | | Micron LEAF | | Router +--+ \\ wireless NIC // \\ IPSec // encrypted Traffic \\ // wireless NIC +---+___ | |\ \ |shoebox SBC|)\__\ +---+ | | Wireless | wired NIC | | Laptop access |+--+ +---+ | | | | cable modem +---+ | \ cable entry-point Thanks Everyone, Christopher --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Ping Crashes bering with 2.4.20 Kernel
Hi all, Just to follow-up on a previous post of mine RE:Bering1.0-stable Problem with 2.4.20 on net4501. I managed to duplicate the probolem everytime by just pinging any interface on the box. ...Steve --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Bering/Shorewall vs. Dachstein
I have been using Dachstein for a few years. I recently decided to give Bering a try. I use an app, EyeBall chat, to video chat to relatives. It worked just fine under Dachstein. It is NOT working under Bering. It appears the app uses a number of dynamic UDP and TCP connections for the audio/video portions of the chat. I didn't see anything in the shorewall logs that was helpful. Anyone got any thoughts? Thanks, Sean p.s. www.eyeballchat.com if you want to see their software. I guess there is a way to restrict the app to some static ports, but i'm not to sure about opening ports to just anyone. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?
S Mohan ([EMAIL PROTECTED]) had this to say on 02/09/03 at 21:18:
You do not need fswcert for Freeswan 1.96 upwards. In the ipsec.secrets
file, you can give the name of the pem file itself. Freeswan will
automagically discover the format of the key and extract it at
startup.
Good to know. :-) Meanwhile, I did find a copy of the fswcert program in an
old downloads directory.
Your ipsec gateway's certificate should be stored in the
/etc/ipsec.d/private directory (in either der or pem format) and be
referenced in ipsec.secrets by filename with an optional passphrase as
under:
: RSA certificate file name passphrase
The : RSA must start at the left margin. The file MUST have no more than
700 permissions and be owned by root to be secure.
It works. I've tried this.
I will try that, thanks.
The example /etc/ipsec.secrets file has a format like this:
: RSA {
# -- Create your own RSA key with ipsec rsasigkey
}
Should I just include the filename and passphrase starting at the point of
that has mark?
I'm trying to start small, and just connect to the Pix at work. Ideally, I'd
like a subnet-to-subnet connection (we use pre-shared keys, 3DES-level), so
that the office will be transparently available to me, regardless of what
machine I am using on my home LAN (Win2K, Linux, etc).
Later, I'll see if I can do it via certs.
Then work the other way, and connect from work to home LAN, using certs.
That's the game plan, anyway. :-)
msg12875/pgp0.pgp
Description: PGP signature
[leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
I'm having some major problems with my Linkys 4-port/wireless cable/dsl router. My regular wired connection works with no problems and I'm using the dhcpd.lrp so that all my internal network connections are assigned addresses by dhcp. Even my wireless network connection is assigned all the proper settings through dhcp. The problem is that no matter what, I can't connect through my wireless. I've disabled DHCP and I'm not using the WAN connection (as I've read) but this problem I don't understand. When I try and ping the LEAF box I get request timed out but I no problems pinging other machines on my internal network. I'm stumped. --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] problems with BEFW11S (wireless router) and LEAF (Bering)
At 10:59 PM 2/9/03 -0500, Camille King wrote: I'm having some major problems with my Linkys 4-port/wireless cable/dsl router. My regular wired connection works with no problems and I'm using the dhcpd.lrp so that all my internal network connections are assigned addresses by dhcp. Even my wireless network connection is assigned all the proper settings through dhcp. The problem is that no matter what, I can't connect through my wireless. I've disabled DHCP and I'm not using the WAN connection (as I've read) but this problem I don't understand. When I try and ping the LEAF box I get request timed out but I no problems pinging other machines on my internal network. I'm stumped. This description is a bit sketchy, so let me fill in the blanks the way I understand them, so you can either confirm the missing details or correct them. You have a Bering router that is the Internet gateway for your LAN. Attached to that LAN is a Linksys wireless router that acts as a WAP for the LAN. You have hosts on the wireline portion of the LAN, and other hosts on the wireless portion of the LAN. It is all one network (in the IP sense); the Linksys WAN port is not used. All clients -- on both wireline and wireless portions -- successfully receive DHCP leases from the Bering router (NOT from the Linksys). But ... if you ping the Bering router from a host on the wireline portion, the ping succeeds, while if you ping the Bering router from a host on the wireless portion pings get sent but no response arrives. But a host on the wireless portion *can* ping a host (other then the Bering router) on the wireline portion successfully (and vice versa? you didn't say, I think). If any of the above is wrong, please post a followup correcting me, and include the usual diagnostics this time. If all of it is right ... I don't yet understand why it is happening, but I can suggest the next things to check. 1. What LAN IP address is assigned to the Linksys, and is it different from the LAN IP address of the Bering? If not, fix it; that conflict is causing your problem. If this is OK, then go on. 2. Before you ping from a wireless host, check its arp table to see if there is an entry for the Bering's IP address. (Probably there is not.) After you ping, check again. See if there is an entry present, and see if it has the right MAC address. Also check the Bering's arp table before and after. 3. Try to ping a wireless host from the Bering. Check the arp tables the same way you did in item 2. Steps 2 and 3 should let you figure out which direction of the connection is failing to complete. From that, you may see the solution yourself. If not, post a follow here with these results, along with the standard diagnostics (see the SR FAQ), plus the details of the Linksys' configuration. Your problem is most likely some piddly little detail (like item 1) that will be easy for fresh eyes to spot, but hard for you to see because you are too close to the problem, and impossible for us to guess without having the details to look at. -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] More Bering IPSec questions ...
OK; so I think I'm making progress ... Anyway, when ipsec starts, I get: # svi ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0) However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? Also, Shorewall complains that the gw zone is empty. The zones file looks like: gw ipsec0 IPSec with a tunnels file of: # TYPE ZONEGATEWAY GATEWAY ZONE # ipsec net 146.145.122.19 gw That's the public IP of my office's PIX firewall. Did I miss something? my /var/log/auth.log: Feb 9 23:53:18 ellcrys ipsec__plutorun: Starting Pluto subsystem... Feb 9 23:53:18 ellcrys pluto[29637]: Starting Pluto (FreeS/WAN Version 1.99) Feb 9 23:53:18 ellcrys pluto[29637]: including X.509 patch (Version 0.9.15) Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/cacerts' Feb 9 23:53:18 ellcrys pluto[29637]: loaded cacert file 'cacert.pem' (1623 bytes) Feb 9 23:53:18 ellcrys pluto[29637]: Changing to directory '/etc/ipsec.d/crls' Feb 9 23:53:18 ellcrys pluto[29637]: loaded crl file 'crl.pem' (686 bytes) Feb 9 23:53:18 ellcrys pluto[29637]: loaded my default X.509 cert file '/etc/x509cert.der' (1203 bytes) Feb 9 23:54:13 ellcrys pluto[29637]: listening for IKE messages Feb 9 23:54:13 ellcrys pluto[29637]: adding interface ipsec0/eth0 216.158.26.254 Feb 9 23:54:13 ellcrys pluto[29637]: loading secrets from /etc/ipsec.secrets Feb 9 23:54:13 ellcrys pluto[29637]: loaded private key file '/etc/ipsec.d/private/IPSecServerKey.pem' (1751 bytes) It seems that I'm waiting for incoming IPSec connections. Which is cool, and which I will eventually want. But right now, I want to establish the IPSec tunnel from me (216.158.26.254) to my Pix (146.145.122.19), using preshared keys. ipsec.secrets: %any 146.145.122.19: PSK -my-preshared-key : RSA IPSecServerKey.pem -my-passphrase- ipsec.conf: config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes --- I have no idea what else to put into this file; I've seen so many differently configured samples, that I'm just lost at this point. :-) Clues appreciated. msg12878/pgp0.pgp Description: PGP signature
RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?
Yes in a single line beginning with :. It is really easy to use this than
to extract and transfer. Moreover, newer systems do not have fswcert. On
RH7.3 and 8.0 which I use, I did not have them. I also downloaded fswcert,
compiled and checked it out. Since both worked, I let it be.
Mohan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mike Leone
Sent: 10 February 2003 09:27
To: 'LEAF ML'
Subject: Re: [leaf-user] Bering w/IPSec troubles - no fswcert command in
Debian?
S Mohan ([EMAIL PROTECTED]) had this to say on 02/09/03 at 21:18:
You do not need fswcert for Freeswan 1.96 upwards. In the ipsec.secrets
file, you can give the name of the pem file itself. Freeswan will
automagically discover the format of the key and extract it at
startup.
Good to know. :-) Meanwhile, I did find a copy of the fswcert program in an
old downloads directory.
Your ipsec gateway's certificate should be stored in the
/etc/ipsec.d/private directory (in either der or pem format) and be
referenced in ipsec.secrets by filename with an optional passphrase as
under:
: RSA certificate file name passphrase
The : RSA must start at the left margin. The file MUST have no more than
700 permissions and be owned by root to be secure.
It works. I've tried this.
I will try that, thanks.
The example /etc/ipsec.secrets file has a format like this:
: RSA {
# -- Create your own RSA key with ipsec rsasigkey
}
Should I just include the filename and passphrase starting at the point of
that has mark?
I'm trying to start small, and just connect to the Pix at work. Ideally, I'd
like a subnet-to-subnet connection (we use pre-shared keys, 3DES-level), so
that the office will be transparently available to me, regardless of what
machine I am using on my home LAN (Win2K, Linux, etc).
Later, I'll see if I can do it via certs.
Then work the other way, and connect from work to home LAN, using certs.
That's the game plan, anyway. :-)
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian?
If you are using Win2K clients, Chad has put up a good chapter. It would do
good to understand what exactly it does. I then used Marcus Mueller's IPSec
utility. It uses a freeswan ipsec.conf file and allows you to define the
policies using IP assigned by your ISP to your interface by acquiring it
from the RAS subsystem dynamically. Chad's method assumes you know the IP
because
M$ also assumes so.
Marcus' utility allows you to choose RAS or LAN for IPSec or auto -
whichever is UP making it ideal for user who use it from an office via LAN
and dial up when outside office.
Marcus' site http://vpn.ebootis.de
HTH
Mohan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mike Leone
Sent: 10 February 2003 09:27
To: 'LEAF ML'
Subject: Re: [leaf-user] Bering w/IPSec troubles - no fswcert command in
Debian?
S Mohan ([EMAIL PROTECTED]) had this to say on 02/09/03 at 21:18:
You do not need fswcert for Freeswan 1.96 upwards. In the ipsec.secrets
file, you can give the name of the pem file itself. Freeswan will
automagically discover the format of the key and extract it at
startup.
Good to know. :-) Meanwhile, I did find a copy of the fswcert program in an
old downloads directory.
Your ipsec gateway's certificate should be stored in the
/etc/ipsec.d/private directory (in either der or pem format) and be
referenced in ipsec.secrets by filename with an optional passphrase as
under:
: RSA certificate file name passphrase
The : RSA must start at the left margin. The file MUST have no more than
700 permissions and be owned by root to be secure.
It works. I've tried this.
I will try that, thanks.
The example /etc/ipsec.secrets file has a format like this:
: RSA {
# -- Create your own RSA key with ipsec rsasigkey
}
Should I just include the filename and passphrase starting at the point of
that has mark?
I'm trying to start small, and just connect to the Pix at work. Ideally, I'd
like a subnet-to-subnet connection (we use pre-shared keys, 3DES-level), so
that the office will be transparently available to me, regardless of what
machine I am using on my home LAN (Win2K, Linux, etc).
Later, I'll see if I can do it via certs.
Then work the other way, and connect from work to home LAN, using certs.
That's the game plan, anyway. :-)
---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Am Montag, 10. Februar 2003 06:19 schrieb Mike Leone: OK; so I think I'm making progress ... Anyway, when ipsec starts, I get: # svi ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0) However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). Also, Shorewall complains that the gw zone is empty. The zones file looks That's no problem and described in shorewall docs. ipsec.conf: config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. kp --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
