Fedora Security :: Setup IPSEC Encryption Between Two Boxes?
Jun 25, 2011
I have been trying to setup IPSEC encryption between two linux boxes. I have a server application which runs on Linux Box A and a client application which runs on Linux Box B. The client sends the data to server. I have captured wireshark logs at both server and client end. In the wireshark logs I can see that the Box B send ESP packets to the Box A.
But the server Application running at Box A is is not able to get any packets. If I turn the policy off at Box B, Box B sends normal UDP data packets to Box A, but still the Server Application running at box A doesn't get any packets.( Expected behavior since policy at Box A enforces that all packets coming from Box B should be encrypted.)
If I turn the policy off at Box A and Box B both, the server application receives the unencrypted data which is also expected behavior. But when the policy is turned on at both the boxes the encrypted packets reach the Box A but are not delivered to the server application. If anyone has faced such issue please help me to debug this issue. I have attached the ifconfig and policy settings at Box A and Box B for your reference.
View 2 Replies
ADVERTISEMENT
Feb 12, 2011
I've been using IPv6 on my local network and through a Hurricane Electric IPv6 tunnel. I've heard that one of the built in features of IPv6 is encryption, both scrambling the data and authenticating where the traffic came from. I've done some searching and heard of SWAN and Racoon, but some of the stuff I found is old and I would like to know what the easiest/best way to set up IPSEC for IPv6 is.
View 3 Replies
View Related
Mar 22, 2009
I have an encrypted /home partition but would like to set up a guest account for my brother. Obviously, encryption doesn't work so well when you give out the key so what I'd like to do is specify a different, unencrypted location as a home directory for the guest account so he doesn't need access to that partition. Is there a way of doing this?
I've got fedora 10, dual boot with windows, 2 hard drives, 1st is NTFS windows. 2nd is split into a swap, ext3 for the OS, and an encrypted partition for /home.
View 2 Replies
View Related
Oct 19, 2009
When I installed Fedora selected the option to encrypt the hard drive. I want to change the passphrase, is there a way to change the passphrase, or do I have to re-install Fedora?
View 3 Replies
View Related
Jun 17, 2010
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
View 2 Replies
View Related
Jan 7, 2010
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
View 3 Replies
View Related
Nov 3, 2010
I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?
Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"
[code]...
View 1 Replies
View Related
Feb 24, 2009
I was trying to install Fedora 9 on my new laptop that came with Win XP. I have selected the option to wipe out all partition and create a default layout with the Encryption option selected. But that installation got stopped on the middle, therefore I have started the installation again. This time it asked for the encryption password as expected but don't know why, its not accepting my password. I am 100% sure that the password is correct but it is not allowing me to enter into the hard disk partition section.
My question is, how do I remove encryption from my hard disk? I don't need to preserve the data, I just need to use my hard disk again. Is there any boot CD that allow us to format encrypted disks without prompting for a password?
View 3 Replies
View Related
Jul 28, 2009
I have currently a file server that runs on Fedora 9, and all other PCs (mostly running Windows XP) access the file server via SAMBA. Everything works perfectly! However, lately a home invasion in my neighborhood got me thinking. If they take my file server, my data is not protected. So, I would like to implement the LUKS partition encryption (/home) which sits on a separate disk. However, I don't quite like the decryption process at boot time. In other words, I would like to wake up the file server (WOL) remotely, and when it's done booting, I would like to log-in using the other PCs and enter the passphrase remotely to decrypt /home. Is this possible using LUKS encryption (i.e., cryptsetup)? If not, what would be another alternative to what I am trying to do using a secure encryption (so that the data is safe from thieves)?
View 4 Replies
View Related
Jul 19, 2010
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
View 3 Replies
View Related
Jun 14, 2011
I have a computer running Fedora 14 and when I installed it, I chose to encrypt the drive.
I've recently changed the way I have things set up and don't want the encryption any more. From what I've read there is no way to simply and easily remove the encryption, so what I would like to do is input the pass phrase remotely.
so, Is there anyway I can type in the pass phrase remotely, or remove the encryption?
View 2 Replies
View Related
Aug 6, 2010
As part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
View 1 Replies
View Related
Sep 8, 2010
I like to encrypt my swap and tmp partition with /dev/urandom but it doesn't work. I tried it 100 times and now I have no idea.
Code:
cat /etc/crypttab
swap /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
cat /etc/fstab
/dev/mapper/swapswapswapdefaults0 0
If I reboot I get the message "/dev/mapper/swap" doesn't exist. It seems, that crypsetup doesn't setting up the encrypted block device. SElinux is in permissive mode.
View 7 Replies
View Related
Feb 25, 2009
How can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies
View Related
Nov 4, 2010
To begin, this is the thread that I always use to set up my Ubuntu boxes for AD authentication:
[URL]
I've had this 10.04 server running for about three months with AD authentication running on it perfect. I have multiple Samba shares that authenticate from AD as well. For some reason, this week it decided to completely stop accepting any authentication from AD.
I checked all of my config files, they are all untouched. I have restarted the machine multiple times. I have unjoined and rejoined the domain on the Ubuntu server. I have no audit failures in my security logs on the domain controller.
Output of /var/log/auth.log whenever I try to log on via an AD user:
Code:
Nov 4 11:58:50 caribbean sshd[1869]: Invalid user justin from 10.3.17.12
Nov 4 11:58:50 caribbean sshd[1869]: Failed none for invalid user justin from 10.3.17.12 port 54738 ssh2
Nov 4 11:58:51 caribbean sshd[1869]: pam_winbind(sshd:auth): getting password
[Code].....
View 2 Replies
View Related
Jun 7, 2011
I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:
1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?
2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.
3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?
4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?
5)give me links to fairly current documentation on this stuff?
6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.
View 9 Replies
View Related
Feb 7, 2011
i am not able to set up a crossover connection between 2 CENTOS 5.5 boxes.
View 4 Replies
View Related
Dec 23, 2010
I am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using. My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error: ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported *Respective to encryption used.
I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.
View 1 Replies
View Related
Jul 7, 2010
I followed [URL]..to set up my wireless network with WPA2 encryption. It works now and knemo says:Encryption: active. However, "iwconfig wlan0" says Encrytion key: off:
Code:
wlan0 IEEE 802.11abgn ESSID:"blitz"
Mode:Managed Frequency:2.472 GHz Access Point: 00:25:9C:DE:D3:7D
Bit Rate=0 kb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
[Code]...
So is there anything wrong with that "Encryption key: off" statement? I suspect that encryption key only applies to WEP, but not to WPA2 encryption, but I am not sure. So my question is, can I ignore that statement and assume that my encryption is fine?
Besides, where does knemo read the information about encryption from? As I mentioned, knemo detects that the encryption is active. Are there any other commands to make sure that my encryption is safe and well?
View 7 Replies
View Related
Feb 8, 2010
Could anyone point me to some simple articles that explain what email encryption is and how to set up a mail server (e.g. Exim) that can send secure emails? I know nothing about networks, mail servers, encryption, etc., but I have to be an expert on it before I walk into work tomorrow morning.
View 14 Replies
View Related
Jun 14, 2010
i have found this xor encryption program
Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define MAX_SIZE 256
[code]....
Its working fine, it can encrypt and decrypt. but how strong is it ? is it all depending on the specified key ?
View 5 Replies
View Related
Feb 20, 2011
I am looking for some software (not Tryecrypt) where I can just right click a file and it will encrypt it for me. It would be nice to unencrypt on Windows but not essential.
View 3 Replies
View Related
Mar 11, 2011
Is it possible to have two passwords associated with one account, one that is the actual one, and another one, a duress password, that upon entering gives a similar (desktop) environment with "decoy data"?
The idea is to have the bogus password go to an encrypted home drive that looks as if it were the real deal, but it is wiping particular sensitive (encrypted) data that is visible only with the real password in the background, so that the actual data that need to be protected are not compromised. While the person who unlocked the computer tries to find the information on it between all the rubbish files, the real files are securely wiped. The files are very sensitive in nature, so it's better to have then destroyed than have unauthorized people access them, in the event of that happening.
I happen to know that TrueCrypt has a similar option but that requires an entire decoy operating system (and I think that might be a bit conspicuous), but is there a native linux way to do it?
View 1 Replies
View Related
Mar 18, 2011
When you install sshd and run it with no modifications, then any other machine can connect to your machine without specifying a key. How does this work? Some key is being used, correct? how does the client know what private key to use?
View 14 Replies
View Related
Jan 8, 2010
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
View 2 Replies
View Related
Aug 3, 2010
I want to create an encrypted directory using the cfs package. So far I've only been able to create the top directory. When I want to attach an encrypted directory using
Code:
cattach directory1 directory2
get the following message in command line:
Code:
RPC: unable to receive
When i look into my /crypt directory, nothing was added there. I have no idea what could be the problem. I use Ubuntu 10.04 LTS.
View 1 Replies
View Related
Aug 3, 2010
I am currently running 8.10 with full-disk (excluding /boot) encryption. I am going to be installing 10.04 on a new laptop, and I was wondering whether it supports multi-factor authentication. Specifically, I would like to have a keyfile on USB/SD memory that is required, in addition to the password, to decrypt the disk. Anyone know of a guide out there? So far my searches have turned up nil.
View 9 Replies
View Related
Sep 5, 2010
i have installed a ubuntu 10.04 (mini iso) w/ option of root encryption. Now i need to boot without ask for passphrase, but im trying to add a luks keyfile without success.i want to use a keyfile in the /boot partition or inside the initrd (cant be in external pendrive), but ubuntu aparently dont accept a keyfile in /boot or initrd file. I know, this way isnt very security, but i just need a basic encryption.So, how to force the use of a keyfile in /boot or inside the initrd for a crypt root partition?
View 5 Replies
View Related
Oct 17, 2010
I've been using GPG keys for about a year now to send encrypted emails to family. But now I want to try and understand more, mainly on signing keys. I've read a ton of stuff, but not fully grasping the concept. So I thought I'd check my understanding people here. Please let me know if I'm wrong on something.
Signing keys seems to be just signing someone else's public key with my private(public??) key. Does that mean I don't sign my own keys? Or should I? There seem to be lots of keyservers out there, mainly I keep hearing about the MIT one and the ubuntu keyserver. Does it matter where I upload my public key? Somewhere I read that once you upload it once, it will slowly make its way to other servers. How is that possible. If someone signs my key on one server, will that also get pushed to other servers?
View 6 Replies
View Related
Mar 7, 2011
I've read that blowfish encryption is much faster and still safe enough to transfer files between hosts.What's the default encryption used by openSSH? (if not already blowfish)
View 2 Replies
View Related
