Archive for the ‘openwrt’ Category

removing default range (.100-.150) from dnsmasq

Saturday, March 22nd, 2008 
 
start="$(dhcp_calc "${start:-100}")"
limit="$((${limit:-150} + 1))"
eval "$(ipcalc.sh $ipaddr $netmask $start $limit)"
 
# COMMENT NEXT LINE
# append args "--dhcp-range=$name,$START,$END,$NETMASK,$leasetime${options:+ $options}"
 

Posted in openwrt | No Comments »

dnsmasq and dns servers for specific domains

Sunday, April 15th, 2007

environment OpenWrt, dnsmasq

problem A dns server for a specific domain (e.g. abc.com) is either not available from outside OR due to firewall/vpn restrictions has a different ip than publicly available

solution Edit dnsmasq.conf and add

server=/abc.com/10.1.1.2

Posted in isa, openwrt | No Comments »

OpenWrt, DHCP and static IPs

Saturday, April 7th, 2007

Environment OpenWrt on LinkSys WRT54GL

Problem Configure static IPs in DHCP server

Solution Edit /etc/ethers

# Machine Name (this is a comment)
#  
xx:xx:xx:xx:xx:xx 1.2.3.4

Activation on OpenWrt

killall dnsmasq
rm /tmp/dhcp.leases
/etc/init.d/S60dnsmasq

Activation on Windows

 ipconfig /renew

Debugging

tail /tmp/dhcp.leases

tcpdump -avn -i br0 not host  and not host  and not ip6

You should see the DHCP requests

Posted in openwrt | No Comments »

Site-2-Site IPsec with ISA 2006/Windows 2003 and OpenSwan/OpenWrt/Linux

Friday, March 30th, 2007

Task Establish Site-to-Site IPsec between ISA 2006 and OpenWrt 0.9 on a Linksys WRT54GL using OpenSwan (2.4.6-1 or 2.4.4-1)

Solution Use the following settings in ipsec.conf

conn isa2openwrt
    authby=secret
    esp=3des-sha1
    ike=3des-sha1
    leftid=<public-ip isa>
    left=<public-ip isa>
    leftsubnet=<private subnet behind isa>
    leftnexthop=%defaultroute
    rightid=<public-ip openwrt>
    right=<public-ip openwrt>
    rightsubnet=<private subnet behind isa>
    rightnexthop=%defaultroute
    pfs=yes
    ikelifetime=1h
    keylife=1h
    rekey=no
    keyingtries=5
    auto=start

Note leftid and rightid MUST correspond to the public IPs, because ISA 2006 expects this.

authby=secret relates to pre-shared key (I didn't wanna mess with certificates).

ISA 2006 configuration is straight forward. Just provide the public IPs and the sub-networks you want to expose. IMPORTANT In IPSec Configuration/Phase I set "Authenticate and generate new key every" to 3600 (instead of the 28800) - see solution.

If you have multiple subnets (or just want to be able to connect to the public IP of the opposite site) OpenSwan requires you to have a seperate conn section for each subnet.

Solved Issues Right now the tunnel stops working after some idle time (e.g. no traffic). Interestingly the tunnel can be re-established by restarting the OpenWrt end (/etc/init.d/S60ipsec restart).

An upgrade of OpenSwan 2.4.4-1 to 2.4.6-1 didn't help. Up to now I'm too busy/lazy to enable the Oakley log on the ISA 2006 server.

Paul Wouters suggested to use Dead Peer Detection, but that didn't help.

SolutionI found this posting that I'm currently testing.

Firewall Don't forget to enable IKE/ISAKMP and ESP traffic on the OpenWrt with iptables


iptables -A input_rule -p esp -s <public ip of ISA server> -j ACCEPT
iptables -A input_rule -p udp -s <public ip of ISA server> --dport 500 -j ACCEPT

and you probably want to make sure, traffic to the private subnet on the opposite tunnel site isn't getting NAT'ed by


iptables -t nat -A postrouting_rule -d 10.1.1.0/24 -j ACCEPT

Debugging On ISA 2006 the Log Viewer is pretty helpful and don't forget to check the alerts.

On OpenWrt enable syslog with


nvram set log_ipaddr=
nvram commit

and Windows Syslog Daemon works well. ipsec.conf needs 

config setup
   plutodebug="all"
   ...

or something similar.

Some barely related commands

  • ipkg list_installed
  • ipkg install openswan
  • ipconfig /flushdns

Links

Posted in isa, openwrt | 2 Comments »