FAIL (the browser should render some flash content, not this).
See all

This article was written by RW Black and can be seen in it's original form at:

http://blackranchinc.com/files/VPN.html

Qube Point to Point VPN

Qube point to point VPN is an implementation of FreeSwan's Ipsec. It uses FreeSwan version 1.91 and inherits all the features (and all of the flaws) of this version.

Only a subset of these features can be administered from the Graphic Interface. For more detailed control you must edit files in the "/etc./freeswan" directory:

  1. ipsec.conf
  2. ipsec.conf.profiles
  3. ipsec.conf.tunnels
  4. ipsec.secrets

After editing any of these files you must be careful what you do from the Graphic Interface so as not to overwrite your changes.

First some general comments

The Perl code which implements Setup from the Graphic Interface ("/usr/sausalito/sbin/ipsec.pl") has a bug in it which prevents it from properly rewriting "/etc/ipchains.conf". For most users this bug is more like a feature, as they probably do not want Ipchains rules changed. But if you reload or restart the Basic Firewall without fixing this bug it will crash the VPN. My experience is that even if you fix this bug over time the system will corrupt the "etc/ipchains/conf" file due to tunnel crashes etc. My suggestion is to eliminate the code which changes the "etc/ipchains/conf" file. For security reasons you then need Ipchains rules to prevent improper access if the tunnel's are down.

Restarting CCED for any reason (most common is backup) will eliminate the network interfaces thus breaking the tunnels. To fix this you must run the "/etc/rc.d/init.d/ipsec restart" command or the "ipsec setup restart" command after restarting CCED. Also Ipsec cannot be started properly before the network connection it will use is established. This can be a problem for certain kinds of DSL or dial up connections.

If you are using some kind of WAN connection that uses PPP or some other kind of login, you may want to remove Ipsec from startup (usually with "/sbin/chconfig/ -del ipsec") and start and stop Ipsec with the "up" and "down" executables for the connection.

If there are any occurrences of NAT between the hosts, it will break Ipsec (this is not totally true, under special circumstances and if only ESP is used, you can establish a tunnel through NAT).

For information on just what is happening you can view the "/var/logs/secure" log. You can also run the "ipsec look" command. For very detailed information run the "ipsec barf" command.

After you get the VPN up and running you will want to change the "ipsec.conf" file line "plutodebug=all" to "plutodebug=none" to reduce the size of the "secure" log generated.

You may also want to change the "ipsec.conf" file line "plutostart=" to "plutostart=%search". But notice the warning above about having the interface running first.

You may want to increase the number of "keyingtries" ("keying attempts" in the Graphic Interface ) in the "ipsec.conf.profiles".

If you have a "standard" Qube you can add the Point to Point VPN features by installing the following RPM's available for download from Sun:

  1. base ipsec-capstone
  2. base ipsec-glue
  3. base ipsec -locale

This will not properly populate the "ipsec.secrets" file.

For more details on FreeSwan see www.freeswan.org .

All of the above and all of the following may or may not apply to "manual" configurations.

Using FreeSwan with hosts other than Qubes

There are two methods for doing this. You can completely ignore the Graphic Interface and do everything from the command line (this gives you much more flexibility but require the end user use the command line). You can use the command line for initial setup and use the Graphic Interface for routine operation (this frees the end user from needing command line skills). I will mostly discuss the second case here.

The Qube normally establishes four tunnels

  1. Network1 to network2
  2. Network1 to host2
  3. Host1 to network2
  4. Host1 to host2

For most situations you will need only the first tunnel or possibly the first and second tunnel.

If you start the connection from the non Qube host, you can create the tunnel setups ( in "ipsec.conf.tunnels') then set the Qube to "the other end starts connection ". In most cases the non Qube host will then automatically initiate the tunnel when you try to connect to any IP on the Qube's network.

If you wish to be able to start the tunnel(s) from the Qube end you can create a PHP script that can be accessed from the "Point to Point VPN" screen on the Qube (the default startup will try to start four tunnels). You can also set the tunnel(s) to "auto=start" in the "ipsec.conf.tunnels" file in which case they will start when ipsec starts (if "plutostart=%search" is set in the "ipsec.conf"file), but if you do anything with the Graphic Interface besides view tunnel status it will break the configuration.

The limits on various configuration items are:

  1. Only 3DES is supported (not DES)
  2. Only Diffie-Hellman group 2 (1536) is supported
  3. Max keylife=1440m (default is 480m)
  4. Max ikelifetime=480m (default is 60m)
  5. Default is pfs=yes (perfect forward security)
  6. If keyingtries=0 the system will keep retrying indefinitely
  7. Keep Alive is not implemented
  8. Setting conn %default before any specific conn will result in defaults being used unless overridden by the specific conn
Random hazards
  1. The subnets on opposite ends of the tunnel must not overlap
  2. NAT must not exist between the hosts
  3. WAN delays over 500 ms. Will usually break tunnels
  4. Packet fragmentation will tend to break tunnels (check mtu)
  5. If you have tunnel crashes you probably will have to reload ipchains rules either from the command line or by stopping and restarting the basic firewall from the Graphic Interface
  6. If you find yourself locked out from the remote Qube see item four (you may need to connect to the Remote Qube from a different IP to gain access to it)
Sample "ipsec.conf.profiles" file section for WatchGuard SOHO6tc

conn watchguard-auto
   auth=esp
   pfs=no
   keylife=1440m
   rekeymargin=9m
   rekeyfuzz=9m
   keyingtries=99    (cannot set to 0 from the Graphic Interface)
   ikelifetime=60m

This file can be created from the Graphic Interface using "Add Profile"

For this configuration you would want to set WatchGuard

  1. Select the negotiation Mode (unless you are paranoid use Aggressive)
  2. Select the Local ID and Remote ID to IP
  3. Select Authentication Algorithm MD5-HMAC
  4. Select Encryption Algorithm 3DES-CBC
  5. Select Negotiation Expires in kilobaud 0 (No limit)
  6. Select Negotiation Expires in hours 24
  7. Select Diffie-Hellman Group 2
  8. Do not select Enable Perfect Forward Security
  9. Do not select Generate IKE Keep Alive Messages
  10. Proceed to Phase 2
  11. Select Authentication Algorithm MD5-HMAC
  12. Select Encryption Algorithm 3DES-CBC
  13. Do not select Enable Perfect Forward Security
  14. Select Key Expires in kilobaud 8192
  15. Select KEY Expires in hours 1
  16. Enter the IP's and Netmasks for the private networks.
  17. Submit

For the WatchGuard you must use Shared Secret
You can create the shared secret on the Qube using Add or Modify Connection but do not change anything but the shared secret or it will overwrite "ipsec.conf.tunnels"
You can also manually edit "ipsec.conf.secrets".

The Qube should automatically change the ipchains rules to handle the connection

Setup very similar to the WatchGuard works for other FireWall-VPN boxes.

You can also connect a remote computer using IRE's SafeNet VPN (unless you are really paranoid the Qube's Remote Login VPN is a lot easier).





A user engaged in illegal activity at your company. We want to know who she (badgirl) wrote to and who wrote her over the past month. Assuming you are archiving the log files this isn't so difficult. If you don't have the log files archived, then you've only got the past few days to work with. I have included a script (gatherlogs.sh) showing how to keep these logs. In theory you should move these to a storage area, but most servers have too much space anyway.

Badgirl also had an outside email account which poses a unique problem in finding out who she wrote to inside your company.



Note: badgirl@charter.net is a ficticious person... juat a name I pulled out of the air. My apologies to the real badgirl@charter.net who is probably a fun loving person.
~~~~~~~~~~~~~~~~~~
What did bad girl do? Well, that's private, but let's just say that she worked in a business that provided her leads. Her job was to close these deals for the company. In return for making her life easier (nobody likes sales) badgirl and the company (where she works) shared a percentage of the deal. If she were to do this business on her own she would probably spend 80% of her time searching for leads and 20% closing deals. So the company is providing her with an way to get business... and the SHARE the commission.

Sadly, badgirl used the company to attract clients then did side deals. She kept her share and the companies share of the money. So basically, she is a thief.


My old instructions are pretty dated. About as outdated at the Qube3 itself. If you want to keep your Qube3 I hope these instructions will help you manage spam. If you want a new server, I hope you will consider the Savvy Server which offers a superior anti-virus and spam filter on a great piece of hardware that is easy to manage and configure.

These instructions are for a Qube3. That means I have only tested these instructions with a Qube3. They may work for a RaQ550, RaQ4 or RaQ3. But I would be careful with the PERL install portions of this script. That could really mess you up.

So... should you try this system? If you are good with the command line and understand that I make not promises, guarantees or warranties. If you will take full resposibility for it... then go for it. It should work. One more caveat. 128MB of RAM is not enough. You need 256 at a mimimun or this will put a heavy strain on your system... I would really recommend taking it up to 512.

A word or two of caution... Nothing is fool-proof and I'm not responsible if you break things. Some of the lines below are intended to be pasted directly into your command line... but if you don't know what they are doing, then I wouldn't paste them in. I did it this way to save time. There is one particulary area that removes unused mqueue directories. I don't think this is valid for a RaQ550... But I cannot recall.

I have to give some credit to Brian at Nuonce.net and Bob at Depopo.net. I'm not sure the original documents still exist, but Brian had a nice installation method for a RaQ550 and I started there to build the originalscript. Brian has since built a great MailScanner/Spamassassin install .pkgfile for the RaQ550. I would encourage you to use this if you have a RaQ550.It's simple, reliable, top quality and inexpensive. Unfortunately, only SolarSpeed has a Qube3 package and unless you have a lot of money, the .pkg is expensive. Depopo has done some great working making the ever troublesome PERL upgrade work properly and for that I thank him. Part of this installation relies on his script available here.






I recently ran across a problem with the Sub/Cobalt RaQ550's qpopper frequently stopping. The problem starts off with all your POP users failing to get access as if their mailboxes don't exist (but they do exist). It them moves on to and I/O Error 29 Illegal seek. This is a bit troubling because the RaQ550 is already running qpopper 3.1.2 which is failry modern and it's never given me much trouble in the past. So I set about troubleshooting. In the end I ended up upgrading to qpopper 4.0.5, but I don't recommend that unless you've tried a few things to make sure your problem is identical.





I have a very weird problem, where messages that are large cannot be recieved by server. This problem occured without me monkeying around with the server. It could have been caused by the work someone did on the LAN or even work done by our ISP. I strongly suspect it has to do with a router upgrade or misconfiguration at the ISP, but rather than truobleshoot their network I went and found a simple answer. I can tell you that there is a lot of misinformation on the Internet about how to solve this problem I hope I can make it a bit easier for everyone. I've troubleshot this from the sendmail perspective where you get the message "premature EOM". but if you have an EXIM or Postfix installation this should also help you. You just get a different error message "Timeout after DATA"

So who ever caused the problem here are the symptoms from the sendmail perspective:

MTU to 1492 using ifconfig <device> mtu 1492
SYMPTOMS
~~~~~~~~
SERVER THAT CANNOT RECIEVE:
Nov 17 15:54:28 mail sendmail[6602]: iAHKsSr06602: collect: premature EOM: Connection reset by mailserver.remotedomain.com
Nov 17 15:54:28 mail sendmail[6602]: iAHKsSr06602: SYSERR(root): collect: I/O error on connection from mailserver.remotedomain.com, from=<someone@mailserver.remotedomain.com>: Connection reset by mailserver.remotedomain.com
Nov 17 15:54:28 mail sendmail[6602]: iAHKsSr06602: from=<someone@mailserver.remotedomain.com>, size=0, class=0, nrcpts=1, bodytype=8BITMIME, proto=ESMTP, daemon=MTA, relay=mailman.listserve.com [207.247.127.27]

SERVER THAT IS SENDING
Nov 17 14:07:47 sherman sendmail[14086]: iAHL7WG14063: to=<admin@localdomain.com>, delay=00:00:15, xdelay=00:00:03, mailer=esmtp, pri=121966, relay=mailserver.localdomain.com. [67.207.227.7], dsn=4.0.0, stat=Deferred: Connection reset by mailserver.remotedomain.com.

ANALYSIS
~~~~~~~~
This clearly isn't a DNS problem which plague many email users because the system would never have gotten as far as collecting the data if it were. The two systems started talking and somewhere along the way the stopped. If you sent a small message it would have gone through error free. I tried changing the MTU size of my messages from 1500 down to 1492 and that fixed everything.

So, somebody's router didn't like my MTU size. I'm not entirely happy with this as an answer because I could easily FTP/SCP files that are quite large without any difficulty. But, since it was only the email messages that suffered maybe sendmail/postfix/Exim all have something that forbid fragmentation. Not sure how an application layer MTA can control something down the stack, but... well I don't have an clue.

ACTION
~~~~~~

1. Log in as root and check your ifconfig

# ifconfig

eth0 Link encap:Ethernet HWaddr 00:10:E0:04:75:DD
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50712 errors:0 dropped:0 overruns:0 frame:0
TX packets:45988 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0x6200

ipsec0 Link encap:Ethernet HWaddr 00:10:E0:04:75:DD
inet addr:192.168.1.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:7427 errors:0 dropped:0 overruns:0 frame:0
TX packets:7427 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

It's going to show you something like this. In this example the third line show my MTU for the outbound connection.

2. Change it:

# ifconfig eth0 mtu 1492

3. Test it. Send youself a message.

4. Make it permenant. In Redhat and Fedora you'd do this by locating the file ifcfg-eth0 and the adding the line MTU=1492.

locate ifcfg-eth0

That should do it. I would not mind hearing from anyone who knows more about this than me, or even if you have a questions. Feel free to ask.



<< 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 >>


When you replace your Qube what is the most important feature?

Price
Color or Quteness
Easy UI (User Interface)
Modern Kernel (2.4/2.6)
Speed of processor
Backed by big company

[ Results | Polls ]

Votes: 574
Comments: 456









· FAQ (Aug 03, 2005)
· In the News (Apr 06, 2006)
· Our Products (May 31, 2005)
· Our Services (Oct 20, 2006)



We have 1 guest and 0 members online

Welcome Guest, become a member today.
About Us Products Consulting Demo Today Partners Contacts
© Savvy Partners, 2006
Privacy Policy
Page created in 0.303499 seconds.