eisber’s blog

environment OpenVPN Server on Gentoo, Windows Vista Client, ISA 2006

problem Establish VPN tunnel from Vista to Gentoo

solution

Server Install

• emerge openvpn and read the output about /etc/init.d
• Make sure you got CONFIG_TUN (details)
• Create keys and /etc/openvpn/hostname.conf files. A sample can be found here.

Vista Client Install

• Install at least OpenPVN 2.1_rc2 download because of this
• copy client.crt, client.key, ca.crt and optionally ta.key from your server /usr/share/openvpn/easy-rsa/keys/
• create hostname.ovpn in C:\\Program Files\\OpenVPN\\config and make sure to run the editor as administrator due to UAC. A sample can be found here.

actual problem I'd like to publish OpenVPN with a "Web Publishing Rule" on ISA 2006 and have ISA 2006 forward to the right machine
based on the domain. It sniffed the traffic and OpenVPN doesn't send a SSL "Client Hello" message at the beginning, but some other message tagged as "SSL Continuation" in Wireshark.

After thinking a little more, the scenario I'd like to implement wont be possible anyway, because ISA 2006 gets the domain from the HTTP traffic (details) and not from the SSL/TLS layer. Maybe a something similar to Apache/OpenVPN port sharing would be possible with a custom filter in ISA...

environment ISA 2006, Terminal Service Gateway on Longhorn Beta 3

problem Tunneling RDP through HTTP/HTTPS. e.g. forwarding applications through http.

story First of all I couldn't get my wildcard certs working, I replaced it with FQDN certs and got a little further.

The above described scenario is NOT supported. See here why and how in more detail.

environment Windows 2003 SP2, ISA Server 2006, Virtual Server 2005 R2 SP1 pre-RC1

story I upgraded to Virtual Server 2005 R2 SP1 RC1 remotely - somewhere in the middle, my Terminal Service Client connection disconnected - *PANIC*. But just keep calm and wait. I guess the network connection get shutdown due to some driver installation - the server became ready again by itself. I didn't need a reboot.

environment gallery, ISA Server 2005 R2, WebSite hosted on Apache using http, publish through ISA with https.

problem login/logout issue. User logs in. Clicks the gallery logo in the top left. Gets the guest front page. If the user visits a sub page it works again... and for some not...

solution Turn of reverse proxy caching in ISA. Configuration/Cache/Cache Rules. Create a new rule including the server that hosts the web site. Check "Never cache the response" and disable http caching.

environment OpenWrt, dnsmasq

problem A dns server for a specific domain (e.g. abc.com) is either not available from outside OR due to firewall/vpn restrictions has a different ip than publicly available

solution Edit dnsmasq.conf and add

server=/abc.com/10.1.1.2

Generate key pair

 openssl genrsa -out wildcard.domain.com.privkey.pem 1024 

Generate certificate request

 openssl req -new -key wildcard.domain.com.privkey.pem
-out wildcard.domain.com.cert.csr 

Make sure you enter *.domain.com when asked for common name.

From \OpenSSL\bin\PEM execute

../openssl ca -cert <path>/CA.crt
-in <path>/wildcard.domain.com.cert.csr
-keyfile <path>/CA.key -days 3650
-out <path>/wildcard.domain.com.cert.cer

Export the certificate

openssl x509 -in wildcard.domain.com.cert.cer
-out wildcard.domain.com.cert.x509.cer

Export the private key

openssl.exe pkcs12 -export
-inkey wildcard.domain.com.privkey.pem
-in wildcard.domain.com.cert.cer
-out wildcard.domain.com.privkey.pfx

I suggest you use a password for this one

Follow this on how to import the certificate and the private key.

This entry is based on how to and iis how to.

I'm forwarding http requests for a domain www.abc.com to server A. I'd like to forward www.abc.com/def to server B.

I configured 2 web publishing rules for the same domain. The first one only includes the path def/, the second one includes *.

ISA behaved very strange. No error message. Sometimes the path def/ worked, sometimes www.abc.com worked.

Environment Windows Server 2003 R2, ISA Server 2005, Virtual Server 2005 R2, Network access through Loopback Adapters

Problem Creation/Installation of a virtual machine running Gentoo

Steps

1. Create Virtual Machine - configure disks
2. Under General Properties
   • Select Run virtual machine under the following user account and provide username and password
   • Make sure it got access to the .vhd and .vnc files (e.g. C:\Documents and Settings\All Users\Documents\Shared Virtual Networks) (details).

     If you I got the following error message in the EventLog (Virtual Server): The virtual machine "foo" cannot connect virtual network adapter 1 because either the virtual network is invalid or access was denied. This virtual network adapter will be left disconnected.

     The reason were missing privileges of the user on .vnc files.

3. Mount the Gentoo ISO image
4. Start the VM and follow Gentoo Installation
5. Edit make.conf. For my Core2 Duo E6600 Iuse

   CFLAGS="-O3 -march=nocona -pipe -fomit-frame-pointer"
       

6.  ln -s /usr/portage/profiles/default-linux/x86/2006.1 make.profile 

7. If you got an existing VM
   • copy /etc/kernels/kernel-config-*

   •  genkernel --kernel-config=/etc/kernels/kernel-config-* all 

8. Kernel options to avoid clock skew (details)

   clock=pit

9. emerge -u logwatch chkrootkit apache netpbm ffmpeg imagemagick ntp gallery virtual/mysql awstats logrotate
10. configure rsync mirror server

Task Establish Site-to-Site IPsec between ISA 2006 and OpenWrt 0.9 on a Linksys WRT54GL using OpenSwan (2.4.6-1 or 2.4.4-1)

Solution Use the following settings in ipsec.conf

conn isa2openwrt
    authby=secret
    esp=3des-sha1
    ike=3des-sha1
    leftid=<public-ip isa>
    left=<public-ip isa>
    leftsubnet=<private subnet behind isa>
    leftnexthop=%defaultroute
    rightid=<public-ip openwrt>
    right=<public-ip openwrt>
    rightsubnet=<private subnet behind isa>
    rightnexthop=%defaultroute
    pfs=yes
    ikelifetime=1h
    keylife=1h
    rekey=no
    keyingtries=5
    auto=start

Note leftid and rightid MUST correspond to the public IPs, because ISA 2006 expects this.

authby=secret relates to pre-shared key (I didn't wanna mess with certificates).

ISA 2006 configuration is straight forward. Just provide the public IPs and the sub-networks you want to expose. IMPORTANT In IPSec Configuration/Phase I set "Authenticate and generate new key every" to 3600 (instead of the 28800) - see solution.

If you have multiple subnets (or just want to be able to connect to the public IP of the opposite site) OpenSwan requires you to have a seperate conn section for each subnet.

Solved Issues Right now the tunnel stops working after some idle time (e.g. no traffic). Interestingly the tunnel can be re-established by restarting the OpenWrt end (/etc/init.d/S60ipsec restart).

An upgrade of OpenSwan 2.4.4-1 to 2.4.6-1 didn't help. Up to now I'm too busy/lazy to enable the Oakley log on the ISA 2006 server.

Paul Wouters suggested to use Dead Peer Detection, but that didn't help.

SolutionI found this posting that I'm currently testing.

Firewall Don't forget to enable IKE/ISAKMP and ESP traffic on the OpenWrt with iptables


iptables -A input_rule -p esp -s <public ip of ISA server> -j ACCEPT
iptables -A input_rule -p udp -s <public ip of ISA server> --dport 500 -j ACCEPT


and you probably want to make sure, traffic to the private subnet on the opposite tunnel site isn't getting NAT'ed by


iptables -t nat -A postrouting_rule -d 10.1.1.0/24 -j ACCEPT


Debugging On ISA 2006 the Log Viewer is pretty helpful and don't forget to check the alerts.

On OpenWrt enable syslog with


nvram set log_ipaddr=
nvram commit


and Windows Syslog Daemon works well. ipsec.conf needs

config setup
   plutodebug="all"
   ...

or something similar.

Some barely related commands

• ipkg list_installed
• ipkg install openswan
• ipconfig /flushdns

Links

• OpenSwan Configure Wiki
• MiniHowtos
• Split DNS
• OpenSwan on Gentoo HowTo

Story

Just incase, ISA 2006 filters umlauts in URLs by default. As I use umlauts in my page titles in MediaWiki, I just got HTTP 500 internal server error message. The important hint that led to my solution was the mentioning of HTTPFilter in the error message.

Environment ISA 2006, Web Site Publishing, MediaWiki

Symptom Wiki pages with umlauts don't work.

Reason ISA 2006 filters umlauts in URLs.

Solution Properties of "Web Publish Rule", Traffic, Filtering, (uncheck Verify normalization, Block high bit characters)