Archive for March, 2007

Site-2-Site IPsec with ISA 2006/Windows 2003 and OpenSwan/OpenWrt/Linux

Friday, March 30th, 2007

Task Establish Site-to-Site IPsec between ISA 2006 and OpenWrt 0.9 on a Linksys WRT54GL using OpenSwan (2.4.6-1 or 2.4.4-1)

Solution Use the following settings in ipsec.conf

conn isa2openwrt
    authby=secret
    esp=3des-sha1
    ike=3des-sha1
    leftid=<public-ip isa>
    left=<public-ip isa>
    leftsubnet=<private subnet behind isa>
    leftnexthop=%defaultroute
    rightid=<public-ip openwrt>
    right=<public-ip openwrt>
    rightsubnet=<private subnet behind isa>
    rightnexthop=%defaultroute
    pfs=yes
    ikelifetime=1h
    keylife=1h
    rekey=no
    keyingtries=5
    auto=start

Note leftid and rightid MUST correspond to the public IPs, because ISA 2006 expects this.

authby=secret relates to pre-shared key (I didn't wanna mess with certificates).

ISA 2006 configuration is straight forward. Just provide the public IPs and the sub-networks you want to expose. IMPORTANT In IPSec Configuration/Phase I set "Authenticate and generate new key every" to 3600 (instead of the 28800) - see solution.

If you have multiple subnets (or just want to be able to connect to the public IP of the opposite site) OpenSwan requires you to have a seperate conn section for each subnet.

Solved Issues Right now the tunnel stops working after some idle time (e.g. no traffic). Interestingly the tunnel can be re-established by restarting the OpenWrt end (/etc/init.d/S60ipsec restart).

An upgrade of OpenSwan 2.4.4-1 to 2.4.6-1 didn't help. Up to now I'm too busy/lazy to enable the Oakley log on the ISA 2006 server.

Paul Wouters suggested to use Dead Peer Detection, but that didn't help.

SolutionI found this posting that I'm currently testing.

Firewall Don't forget to enable IKE/ISAKMP and ESP traffic on the OpenWrt with iptables


iptables -A input_rule -p esp -s <public ip of ISA server> -j ACCEPT
iptables -A input_rule -p udp -s <public ip of ISA server> --dport 500 -j ACCEPT

and you probably want to make sure, traffic to the private subnet on the opposite tunnel site isn't getting NAT'ed by


iptables -t nat -A postrouting_rule -d 10.1.1.0/24 -j ACCEPT

Debugging On ISA 2006 the Log Viewer is pretty helpful and don't forget to check the alerts.

On OpenWrt enable syslog with


nvram set log_ipaddr=
nvram commit

and Windows Syslog Daemon works well. ipsec.conf needs

config setup
   plutodebug="all"
   ...

or something similar.

Some barely related commands

  • ipkg list_installed
  • ipkg install openswan
  • ipconfig /flushdns

Links

Netgear FM 114P + Vista

Wednesday, March 28th, 2007

Environment Windows Vista, Netgear FM 114P router incl. printer port, HP Deskjet 720C

Problem Printing from Vista using network printing port of FM114P

Solution DON'T install the Windows XP/2000 Netgear drivers. Don't work and mess with your Windows Vista.

You want Unix Print Support from Vista (Control Panel\Programs and Features: Turn Windows features on or off): Print Services\LPR Port Monitor.

Then "Add Local Printer", "Create a new port", select "LPR Port", enter IP address of your router and L1 as the queue name (see FM 114P Reference Guide).

Finally I had to select the appropriate printer driver.

StatWiki moved and Statistische Informationsverarbeitung

Monday, March 26th, 2007

Rejoice with me as the StatWiki was moved from iceberry (2x 200MHz Pentium Pro) to steamberry (Intel Core Duo 2 E6600, 2.4GHz).

Everything is faster, everything is better.

And I started to do my Statistische Informationsverarbeitung homework. Hopefully next time, it doesn't take 3 hours and is complete.

ISA 2006 vs. MediaWiki and Umlauts

Monday, March 26th, 2007

Story

Just incase, ISA 2006 filters umlauts in URLs by default. As I use umlauts in my page titles in MediaWiki, I just got HTTP 500 internal server error message. The important hint that led to my solution was the mentioning of HTTPFilter in the error message.

Environment ISA 2006, Web Site Publishing, MediaWiki

Symptom Wiki pages with umlauts don't work.

Reason ISA 2006 filters umlauts in URLs.

Solution Properties of "Web Publish Rule", Traffic, Filtering, (uncheck Verify normalization, Block high bit characters)

StatWiki – R Extension frickel

Monday, March 26th, 2007

R extensions for MediaWiki are pretty cool

If you run into an error starting with /invalidfont in findfont.

Reason ghostscript-gnu installed

Solution ghostscript-gnu uninstalled, ghoscript-gpl installed

If you want to use output="display" make sure you but a pdf(rpdf) into your R block (this tells R to write the pdf to the appropriate place)

ISA 2006, Virtual Server 2005, “Publish Web Site” NOT working?

Sunday, March 25th, 2007

Environment ISA 2006 (or 2004), Virtual Server 2005, same machine

Symptom "Publish Web Site" Wizard succeeds, but the Web site is not accessible.

If you want to Publish a Web Site using the Web Listener on port 80, it simply does not work. I couldn't find an error message - at least there wasn't any in the Event Log. I'm not sure about the Dash board. But since I used ISA 2006 the first time...

Reason Virtual Server 2005 requires IIS installed. IIS installs a Default Web site, that listens on port 80 *surprise*.

Solution Stop the Default Web site in IIS and good to go.

What USE flags are used by a non-installed package?

Sunday, March 25th, 2007

equery uses -a ">=www-apps/wordpress-2.1.2"

Gentoo package unmasking

Sunday, March 25th, 2007

Want to install a masked package?

Add =net-mail/hotwayd-0.8 to /etc/portage/package.unmask

Why isn’t ‘su’ working on gentoo?

Sunday, March 25th, 2007

Because your user needs to be part of the "wheel" group.

usermod -G wheel

being part of the collective!

Saturday, March 24th, 2007

yet another try to do this...