I am currently trying to get my Dachstein CD v1.02
firewall to allow connections through the freeswan
ipsec to a windoze 98 machine running PGPnet (freeware
6.5.x).
I found Felippe Piazza article in
www.strongsec.com/freeswan on how to accomplish this
using Open PGP certificates without the x509
Mr. Steinkuehler thank you for your very prompt reply.
Your very valid point below about PGP certificates
being in a different format is very true. A key
extractor is available at www.zengl.net/freeswan that
will pull usable information from the PGP keys. This
only works for versions up to 6.5.
Being rather new at this I have what is a beginner
question.
LaBrea option on the D-CD will trap port scanner (like
Code Red worm) on "virtual" machines to keep them from
bothering other computers. From what I understand in
the documentation, LaBrea will examine your
sub-network and select non-u
Very True Gregor!
I might also add that the default backup is "full" and
"cdrom" so I had to go to each section I wanted to
back up and change them from "full" "cdrom" to
"partial" "floppy". There is a "letter switch" for
all three options, 1. backup itself, 2. change
destination, and 3. change
I am still struggling getting M$ machines to "road
warrior" across a Dachstein CD firewall. I can get
two DCD firewalls to use the ipsec and create a VPN
between them. I have tried unsuccessfully to use
PGPnet so now its SSH Sentinel's turn.
An excellent article is from Nadeem Hasan
(www.nadm
Joey,
I see nothing terribly wrong with the ipsec.conf file.
Mine does have a leftid and rightid in the conn
home-office section. I also have a auto=add on the
office and a auto=start on the home section. Without
these lines it does not when to start up. I'm sure
you are reading the configura
Greetings All:
I have networked two DCD firewalls with IPSec using
X.509 certificates. I have added a "road warrior"
M$98 machine using SSH Sentinel package.
The interesting part is that the KLIPS warning that
usually shows up during boot now really matters!
WARNING: ipsec0 has route filtering
All,
The mini-howto version 1 is complete but it is 13
pages long. Instead of a mass mailing I plan to send
it to selected individuals that are intersted.
It is available as a word97 and plain jane *.txt
please specify which one you want.
If anyone has a better idea on how to distribute this,
Michael,
Thank you for your fast response.
I unfortunately posted before I thought. Turns out
that just the eth0 needs the rp_filter turned off so I
was able to make things work without worrying about
the ipsec0 rp_filter.
Thanks again - Bill
--- "Michael D. Schleif" <[EMAIL PROTECTED]> wro
All,
If I remember correctly, and please correct me if I am
wrong, the documentation with the ipsec lrp with the
Dachstein CD says that using the leftfirewall=yes or
rightfirewall=yes will automatically append the
scripts to allow protocol 50 through. If I remember
from the first post, the "offi
Greeting Sudhir:
A thought might be that you have not enabled the
10.0.0.0 subnet on the internal network. The
Dachstein CD has as its default the 192.168.1.0 subnet
so to get the 10.0.0.0 working you must edit the
configuration.
1) In /etc/network.conf
lines 164, 349, 350
2) in /et
Greetings All-
I took a look at my logs and realized the time
recorded was very different than the real time. I
tried setting up a check once per day by inserting a
server in the lrp.conf but that did not work.
A system that worked was to place the following lines
in /etc/cron.d/multicron
11
Erich,
Thanks for asking! I should have looked earlier! I
examined the denied packets carefully, and yes, the
selected internet time servers were getting blocked
coming back to the firewall in a rather impressive (in
volume of traffic) manner.
I disabled the "servers" until I can start to let
All -
A quick update,
I inserted into network.conf, down about line 323, the
list of servers matching the list from the ntpsimpl
conf from the setup package menu.
ie:
EXTERN_UPD_PORT0="0/0 domain"
EXTERN_UDP_PORT1="0/0 bootpc"
EXTERN_UDP_PORT2="www.xxx.yyy.zzz/24 ntp"
EXTERN_UDP_PORT3="aaa.bbb.c
Thank you Charles for the excellent lead!
I took your advice and did a "#netstat -ldp | more"
and got the following lines concerning port 123 (with
apologies for the formatting problems):
proto recv-Q send-Q local addr foreign addr state
PID/Pgrm name
udp 0 0 192.168.1.254:123 0.0.0.0:*
Thank you Charles for the expert advice on upd.
I did a little more snooping and turns out #netdate
command (linux box) is port 37 while ntp is port 123.
(I realize I'm beginning to sound like a total moron
and should have done the homework and rtfmed).
I downloaded a program called automachron
All,
I put the NTP rpm in my mandrake 9.0 linux box.
Set the ntp.conf "server" to 192.168.1.254 (firewall
address). Inserted a /etc/ntp.drift and put a 1 in
the file. Started the ntpd daemon.
Tested out the troubleshooting guide and on the
mandrake box tried a:
# ntpq -p 192.168.1.254
The re
Kevin,
Thanks for weighing in with your results.
I am up and running with a M$ freeware called
"Dimension 4" on a 98se box. It uses the SNTP (Simple
NTP) and for whatever reason, works well with the
Dachstein firewall. It however, does not mention
compatability with XP so - your mileage may var
Thitiporn,
>From the FreeS/Wan manual on section RSA signatures
for authentication:
the RSA public key needs an identifier. The
identifier goes into leftid= and rightid= . They are
the names the systems use to identify themselves
during connection negotiations.
4 different ways:
A) IP addres
Thitiporn,
I looked over my notes again and the configuration I
used was left - road warrior, right - firewall with
ipsec.
conn vpn
type=tunnel
left=%any
leftrsasigkey=
.
.
.
right=aaa.bbb.ccc.ddd
[EMAIL PROTECTED]
.
.
#There is no leftid in my working conf
Greetings all,
I was thinking of putting a wireless bering system
together and noticed that the "Package Repository" for
glibc-2.0 has packages A-S but T-Z are missing. I
looked with both the IE and Foxfire browsers.
As far as I can tell the repository may be the only
place to find the wireless.
Mike N., Many thanks - Bill
>
> Bill,
> Did you look in Jacques Nilo's old website. It's
> still active. I haven't
> incorporated it yet. Also, all content is available
> in cvs or the SF
> FRS.
>
> http://leaf-project.org/bering/bin/
>
http://leaf-project.org/bering/bin/bering/latest/packages/
22 matches
Mail list logo
