[leaf-user] THANK YOU!
Hello, I just wanted to say thanks to all of the people, but especially Charles and Lynn, who have helped me in creating a single floppy, Dachsein based, VPN capable, DHCP(client and server ) and DNS(cache and authoritative), firewall. I know this is a duplication of Lynn's work, but I felt that if I was to support it I should know enough about it to build it on my own. Anyway...Thank You Jason L. Massey ___ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Error from udhcp.lrp, I think
Lynn, Will do. I will let you know as soon as I try the commands. Thanks, Jason L. Massey guitarlynn [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/29/2002 07:02 PM To: [EMAIL PROTECTED] cc: Subject:Re: [leaf-user] Error from udhcp.lrp, I think On Monday 29 April 2002 13:11, [EMAIL PROTECTED] wrote: Hello, I am getting the following error on my LEAF box. could not open input file: no such file or directory. I think it is coming from udhcp.lrp. Any suggestions. Everything seems to work OK. Hmmm Enter the commands: svi udhcpc restart svi udhcpd restart If you get the error message again, tell me which command gave the error and I'll trace it down. I can't say that I've noticed it myself. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Error from udhcp.lrp, I think
Hello, I am getting the following error on my LEAF box. could not open input file: no such file or directory. I think it is coming from udhcp.lrp. Any suggestions. Everything seems to work OK. Thanks, Jason L. Massey leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[Leaf-user] Dynamic VPN Gatewy..... Almost
Hello, I have two Dachstein IPsec gateways in place. One is a static IP, the other is Dynamic. I can not get the VPN up. When I change the ipsecrets file to reflect the IP assigned to the Dynamic connection it works! but as soon as I specify it as Dynamic it doesn't. When this happens /var/log/auth.log says that no preshared key could be found for 68.87.38.109 (the dynamically assigned address) and 216.29.35.154 (the remote static address). Any one have any suggestions? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, It sounds like IPSec isn't finding the proper secret to use unless the secret is tagged with the remote IP. Are you assigning connection ID's in ipsec.conf? IPSec will use the IP as a default ID if you don't assign one manually. I typically use unresolved names as a connection ID, rather than IP addresses...they are easier for me to remember (and make sense of). IIRC, there may also be some limitations on using pre-shared-secrets vs. RSA signature keys...which are you trying to use? Try something like: [EMAIL PROTECTED] [EMAIL PROTECTED] in your connection description at both ends... If that doesn't help, you'll probably have to provide your ipsec.conf and ipsec.secrets file for inspection (remove/alter any private info from ipsec.secrets before posting, but keep it otherwise intact). I am using shared secrets. I will at one point want to try the RSA encryption but I have experience with shared secrets and figured to start there and then go to RSA. In my previous experience with Free/SWAN (v. 1.34 I believe) I would specify 0.0.0.0 for anyone in the ipsec.secrets file on the static gateway and 127.0.0.1 for local IP on the dynamic gateway. I have not seen this instructed at all for the v1.91 with which I am working. What should the ipsec.secrets file be for the static and dynamic gateways. I currently have this for both: 216.29.35.154 0.0.0.0:PSK secretgoeshere If you like I will provide the files. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Charles, One other thing. The /var/log/auth.log is from the dynamic gateway as this is the one starting the tunnel. I must not be specifing for IPsec to use the local IP the right way in ipsec.secrets. In ipsec.conf you use %defaultroute. What about in ipsec.secrets? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
Phillip Version 1.91 I think I may scrap using the PSK and go to RSA. As Charles pointed out, RSA does not use IPs as identifiers but rather uses the keys. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Dynamic VPN Gatewy..... Almost
You can have only one catch-all (and therefore one preshared secret) if you are using preshared secrets. The identifier to use is %any in the ipsec.secrets file. Like so: %any 192.168.3.1: PSK unsecure HTH Chad Yes, but that would be the ipsec.secrets entry on the static side. What about the dynamic gateway? Would it be the same? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ipsec and nat
Philip, Given my limited knowledge I will give you what I think is a correct answer. IPsec depends upon the sending address for authentication. When a packet is mangled by NAT this info is not available for ipsec to use. Thus you can not NAT the ipsec traffic. There is a way to port forward ipsec traffic I believe, but I have not experience doing this. Hopefully some else knows more. (they can't know less :-) Jason Massey [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/18/2002 09:10 AM To: [EMAIL PROTECTED] cc: Subject:[Leaf-user] ipsec and nat I understand that ipsec cannot run behind nat. But could someone explain why this is necessarily so? Nat does not alter the dest address therefore the packet would end up in the right place. Then after deencapsulation, ipsec could see that the inner packet was valid. For that matter, I cannot see why tunnels within tunnels could not work, like tarring together a bunch of tar files. Does anyone know if this restriction is FreeSWAN or the ipsec standard and if freeswan intends to ammend this in the future? Thanx ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] IPsec.lrp vs. IPsec509.lrp
Hello, Earlier it was posted that IPsec509.lrp is not needed if you are not doing 509 certs. However I was wondering about the nature of IPsec509.lrp. Is it an additional package to extend IPsec.lrp or is it the only IPsec package you need. It is much smaller, and if I can replace IPsec.lrp with IPsec509.lrp it could free some needed space. Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Your project (other questions)
Lynn, You said before: The only thing your looking to add to it is authoritative DNS which would be covered by adding tinydns.lrp. You won't be able to add it unless you replace dnscache.lrp or someone ports the ipsec scripts to iproute2 (which as found before is not a easy project in the least). Could you elaborate. I have in fact sqeezed in tinydns.lrp to my image(still 1.68mb :-). Is this going to cause some kind of problem with the ipsec scripts? What did you mean by the above? BTW: I have the following on my 1.68mb floppy: DNSCACHE.LRP, ETC.LRP, IFCONFIG.LRP, IPSEC.LRP, LDLINUX.SYS, LINUX.SYS, LOCAL.LRP, MAWK.LRP, MODULES.LRP, RAMLOG.LRP, ROOT.LRP, SYSLINUX.CFG, SYSLINUX.DPY, TINYDNS.LRP, UDHCP.LRP Your insight is greatly appreciated. Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: [off-list] Your project (other questions)
Lynn, You do have an ipsec-enabled kernel don't you? Yes I do. No errors on IPsec startup. What exactly did you strip beside the packages not listed above? I would have to assume that you've stripped more than the extra NIC modules to keep it that small. Just the extra NIC Modules. I kept the two I need (eepro100.o and ne2kpci.o) and their dependencies (8390.o and pci-scan.o) And all of the ip_* modules are still there. If you would like I'll send you a image file. Jason Massey guitarlynn [EMAIL PROTECTED] 04/17/2002 04:36 PM To: [EMAIL PROTECTED] cc: Subject:Re: [off-list] Your project (other questions) On Wednesday 17 April 2002 14:10, [EMAIL PROTECTED] wrote: Could you elaborate. I have in fact sqeezed in tinydns.lrp to my image(still 1.68mb :-). Is this going to cause some kind of problem with the ipsec scripts? What did you mean by the above? No, it shouldn't... but things depend on what you have stripped. You do have an ipsec-enabled kernel don't you? BTW: I have the following on my 1.68mb floppy: DNSCACHE.LRP, ETC.LRP, IFCONFIG.LRP, IPSEC.LRP, LDLINUX.SYS, LINUX.SYS, LOCAL.LRP, MAWK.LRP, MODULES.LRP, RAMLOG.LRP, ROOT.LRP, SYSLINUX.CFG, SYSLINUX.DPY, TINYDNS.LRP, UDHCP.LRP Your insight is greatly appreciated. What exactly did you strip beside the packages not listed above? I would have to assume that you've stripped more than the extra NIC modules to keep it that small. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Dynamic-Static VPN Errors
Hello, I have two Dachstein LEAF boxes at separate locations. One has a static IP, the other is dynamic. I would like to establish a VPN between the two locations. Does any one have a sample ipsec configuration script I could reference? If so it would be most appreciated. These are from the dynamic IP gateway. I am getting to following when I do an ipsec look: 192.168.4.0/24 - 192.168.3.0/24 = %trap(0) I am getting this from ipsec auto --status: 000 interface ipsec0/eth0 69.71.107.29 000 000 office-cable: 192.168.4.0/24===69.71.107.29---69.71.104.1... 000 office-cable: ...216.28.35.121---216.28.35.122===192.168.3.0/24 000 office-cable: policy: PSK+ENCRYPT+TUNNEL+PFS: interface: eth0; trap erouted 000 office-cable: newest ISAKMP SA: #0; newest IPsec: #0 eroute owner: #0 000 #1 office-cable: STATE_MAIN_I1 (sent MI1, expecting MR1): EVENT_RETRANSMIT in 11s Every thing seems to be getting configured with the interfaces. Any thouhgts? Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Static to Dynamic VPN Tunnel
Hello, I have two Dachstein LEAF boxes at separate locations. One has a static IP, the other is dynamic. I would like to establish a VPN between the two locations. Does any one have a sample ipsec configuration script I could reference? If so it would be most appreciated. This is what I have tried. (Unsuccessfully) type=tunnel left=216.29.36.154 leftnexthop=216.29.33.151 leftsubnet=192.168.3.0/24 leftfirewall=yes right=%any rightsubnet=192.168.4.0/24 rightfirewall==yes keyexchange=ike keylife=8h keyingretries=0 (1= on dynamic end) pfs=no authby=secret auto=add Any help configuring a static to dynamic tunnel would be most appreciated. Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Exact error messages from Floppy VPN endpoint (Dachstein based)
Hello Again! Thank you for your response to my previous post. Since it is possible here are the exact error messages: ipsec_setup: Starting FreeS/WAN IPsec 1.91... ipsec_setup: Warning: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/netr/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: Warning: ipsec1 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/netr/ipv4/conf/ipsec1/rp_filter = '1', should be 0) I guess I could go to the file, manually change it and back up the changes, but I want to know if there is a setting that I have wrong. Any help in this regard would be most appreciated. Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] DUCKLING 1.0
Hello, I am building a floppy based VPN based on the Dachstein Floppy. I have posted some questions about it, as I am having some config issues. I really want to make this work for my own education more than anything else. I also was going to install the DUCKLING LEAF image to compare settings. (Not wanting to really use it.) However I could not make the disk from the windows exe files provided. Not a problem as I used my Linux box. But I was wondering if the exe files work under W2K. I notice the files are named ...9x... so maybe not. Anyway, not important, just curious. Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Exact error messages from Floppy VPN endpoint (Dachstein based) - CORRECTION!!!
I posted an inaccurate error message. The correct errors are: ipsec_setup: Starting FreeS/WAN IPsec 1.91... ipsec_setup: Warning: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/netr/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: Warning: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/netr/ipv4/conf/eth0/rp_filter = '1', should be 0) Sorry about that, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Exact error messages from Floppy VPN endpoint (Dachsteinbased) - CORRECTION!!!
Charles, Thank you very much! BTW what effect does setting the spoof to NO have? Jason Massey Charles Steinkuehler [EMAIL PROTECTED] 04/12/2002 11:39 AM To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] Exact error messages from Floppy VPN endpoint (Dachstein based) - CORRECTION!!! These are normal for FreeS/WAN. Some types of tunnels run fine with rp_filter enabled, despite the warnings (specifically subnet-subnet...maybe others). You may, however, have to disable this for your VPN links to work right...IIRC, host-host tunnels require rp_filter to be 0. To control rp_filter on a per-interface basis, use the interface_IP_SPOOF=[YES|NO] feature of network.conf (ie you probably want to set eth0_IP_SPOOF=NO to make the warnings go away). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] DUCKLING 1.0
Charles, Could you give me the web address to find that image? I looked under contributed images but no go. Thanks, Jason Massey Charles Steinkuehler [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/12/2002 11:35 AM To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] DUCKLING 1.0 I am building a floppy based VPN based on the Dachstein Floppy. I have posted some questions about it, as I am having some config issues. I really want to make this work for my own education more than anything else. I also was going to install the DUCKLING LEAF image to compare settings. (Not wanting to really use it.) However I could not make the disk from the windows exe files provided. Not a problem as I used my Linux box. But I was wondering if the exe files work under W2K. I notice the files are named ...9x... so maybe not. Anyway, not important, just curious. AFAIK, Windows NT/2K (and maybe XP?) cannot talk to floppy disks with more than 80 tracks (ie the 1720K format used by DUCLING). This is possible, however, on Windows 95/98/ME (and maybe XP?). You might also want to check out some of the LEAF disk images available on the website...IIRC, someone made a single-floppy Dachstien equivlent to DUCLING...with the smaller Dachstein kernel root ramdisk, everything fits on a 1680K disk, rather than the previously required 1720K. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Exact error messages from Floppy VPN endpoint (Dachsteinbased) - CORRECTION!!!
Charles, You are absolutely right. I am sorry to waste your time with abstract functioning questions when I have the docs and source available. I am sure I will have more implementation questions though :-) Thanks again for all of your help, Jason Massey Charles Steinkuehler [EMAIL PROTECTED] 04/12/2002 12:32 PM To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject:Re: [Leaf-user] Exact error messages from Floppy VPN endpoint (Dachstein based) - CORRECTION!!! Thank you very much! BTW what effect does setting the spoof to NO have? It sets rp_filter for the interface to 0... and that has what effect? Use the source...from my linux kernel source tree: debian:/usr/src/linux# cat Documentation/networking/ip-sysctl.txt excerpt rp_filter - INTEGER 2 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes. 1 - (DEFAULT) Weaker form of RP filtering: drop all the packets that look as sourced at a directly connected interface, but were input from another interface. 0 - No source validation. NOTE: do not disable this option! All BSD derived routing software (sort of gated, routed etc. etc.) is confused by such packets, even if they are valid. When enabled it also prevents ip spoofing in some limited fashion. NOTE: this option is turned on per default only when ip_forwarding is on. For non-forwarding hosts it doesn't make much sense and makes some legal multihoming configurations impossible. /excerpt If you want to know more, you'll have to crawl through the kernel networking code... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Making Disk Images
Thanks..I will give it a try Jason Massey Simon Bolduc [EMAIL PROTECTED] 04/12/2002 01:56 PM To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] Making Disk Images for windows you can use winimage available at www.winimage.com - just read the disk and save it to a self extracting disk image. Then anyone running windows (9x+ I believe) should be able to make a disk from the image. S From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Leaf-user] Making Disk Images Date: Fri, 12 Apr 2002 13:37:04 -0400 Hello again, I would be very interested in making disk images of my modified LEAF versions. I would like to do this for Linux images and perhaps a windows installer as well. Can anyone point me in the right direction? What tools are available to do so? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Local.lrp + Udhcp.lrp??
Joey, I did not mean to imply one was related to the other. I just found the two questions at the same time. 1 - What does local.lrp do? 2 - Where can I find udhcp.lrp Two different questions. Sorry if I was not clear. I will also look more for udhcp on the list. Thanks, Jason Massey Joey Officer [EMAIL PROTECTED] 04/12/2002 03:26 PM Please respond to jofficer To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:RE: [Leaf-user] Local.lrp + Udhcp.lrp?? Actually I think you may have been misinformed. The udhcp.lrp file replaces the dhcpd.lrp and the dhcpclient.lrp files. It has nothing to do with the local.lrp file. The udhcp.lrp package is a single and small package to replace the dhcpd.lrp and the dhcpclient.lrp files. It works quite well. Especially when space is a factor. There are a few messages pertaining to this that date back a month or two. If you have any questions regarding this particularly, you may ask this list.. I'm sure it will be met with many answers... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 12, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] Local.lrp + Udhcp.lrp?? Hello, I found the VPN Floppy Image of Dachstein. It mentions deleting local.lrp and substituting udhcp for the dhclient anddhcpd. First what is the ramifications of removing local.lrp - according to LRP it is just a skeleton. Second where can one fine this udhcp.lrp? Thanks, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Local.lrp + Udhcp.lrp??
Lynn, Yes it does help! I see that I have the udhcpd.lrp version WITHOUT the client. ARGHG!!! So tired. Must sleep. :-) Anyway, thank you very much for the info. Which version has both? The linking on cvs is a little confusing. Thanks again, Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Local.lrp + Udhcp.lrp??
Lynn, One other thing. What makes one Dachstein specific? Jason Massey guitarlynn [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/12/2002 05:58 PM To: [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] Local.lrp + Udhcp.lrp?? On Friday 12 April 2002 15:44, Mike Noyes wrote: Joey, That link is incorrect. Lynn moved his files into cvs per my request. Other developers will begin this process shortly. http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/devel/guitarlynn/ Ewald has a udhcpd.lrp version too. see http://leaf.sourceforge.net/pub/packages-list.txt You can access my Dachstein-based 1680K floppy image from my devel page at: http://leaf.sourceforge.net/devel/guitarlynn I link the latest cvs version from there. The complete udhcp.lrp package is there too, one is Dachstein-specific and another is generic LEAF. Most of the NIC modules and local.lrp have been stripped from the floppy image for space constraints, so you may need to download specific NIC modules for your card(s) from the link to Charles' site on the page. Ewald's udhcp package does not include both the client and server last I checked, so I may have the only complete version available for now. local.lrp is for future use with user-space applications and is not currently used. A few people do use it to back up the /root directory instead of backing up the root.lrp package for a couple of things like ssh keys and the like... these are user mods that are not built in to any packages at this time. I hope this helps! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Floppy VPN (Dachstein based)
Hello, I have a Dachstein box that does NAT and port forwarding for my network. I would now like to implement a VPN. I replaced the kernel with an IPSEC enabled one, and loaded the needed modules. I have the box able to boot and still NATing and port forwarding but get error messages. I do not have the exact messages, but would like to know if what I would like to do is possible. If it is I will post the exact messages. What I would like is for one LEAF box to: NAT Port Forward Endpoint of a VPN tunnel Please advise if this is possible. Thank you very much! Jason Massey ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN - Error with Dachstein v.1.0.2 box.
Thanks! I thought all Dachstein releases ( floppy or otherwise) were IPsec enabled. Since I JUST got it on 1 floppy with IPsec I will look at the CD version. I was really hoping to keep it all on 1 floppy by hey, thats life. Thank you so muc h for your help, and your product. Jason
[Leaf-user] Help! Can not ping past outside interface.
I have an OS/2 Firewall I am currently trying to convert to a Dachstein v.1.0.2 box. It has (2) NE2000 compliant ISA cards. I uncomment the 8390 and the appropriate modules with the IO address set to 300, 340 I need a static Outside IP because it is actually the inside address of my DMZ. So set it with 192.168.16.2/24 The cards are the same as is the driver. I can ping both cards from the Dachstein box. I can ping the internal network (192.168.1.1-199 assigned by DHCP from the Dachstein box) from the Dachstein box. I can ping the internal card (192.168.1.1) from the internal network. I can ping through to the external card (192.168.16.2) from the internal network. I CAN NOT ping past the external card either from the Dachstein box or the internal network. I CAN NOT telnet on any port past the external card either from the Dachstein box or the internal network, so it is not just ICMP. The error is NOT a network unreachable error, and I think the IP is configured right. The response from the failed ping says not permitted. I do not think it is a driver or card config issue, because I switched the IO addresses and the same thing happened with oppisite cards(had to swap the cables of course). Could it be a default frewall config that denies everything. The docs say it should be set to be a masq firewall out of the box. Thank you in advance for your help. And if I missed a similar post, please forgive me I did look for a long time. Jason Massey
Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2
Ray, Sorry for the paraphrase. I do not have access to the machine today. Yes that is the exact message. That sounds like it could very well be the problem. I will test it tomorrow and let you know the results. Thank you very much. I did not even think about the private address being handled differently than a valid one. Jason Massey Ray Olszewski [EMAIL PROTECTED] 12/19/2001 02:22 PM To:[EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2 At 02:24 PM 12/19/01 -0500, [EMAIL PROTECTED] wrote: [...] I need a static Outside IP because it is actually the inside address of my DMZ. So set it with 192.168.16.2/24 [...] I CAN NOT ping past the external card either from the Dachstein box or the internal network. I CAN NOT telnet on any port past the external card either from the Dachstein box or the internal network, so it is not just ICMP. The error is NOT a network unreachable error, and I think the IP is configured right. The response from the failed ping says not permitted. If the actual message is sendto: operation not permitted (quoting error messages EXACTLY is always better than paraphrasing them), then this is most likely a firewall problem. Especially since your external address is in the private-address range, and stock LEAF firewalls block private-range addresses on the external interface. Check your firewall ruleset with ipchains -L -n -v, and see if there is an input-chain rule that ALLOWs 192.168.16.0/24 BEFORE the one that DENYs (or REJECTs) 192.168.0.0/16 on the external interface. If there is, then you have a different problem. If there isn't, then you need to add one ... I'm not exactly sure what the best way is to do this. (One option is to use the EchoWall firewall scripts, which handle the external interface differently.) -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED]
