Security :: Ipsec Not Working Between Two Hosts?
Nov 3, 2010
I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?
Code:
ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"
[code]...
View 1 Replies
ADVERTISEMENT
May 2, 2011
I'm trying to use ssh-keyscan to get some known_host file population going on, but I have a ton of hosts I want to scan, all with multiple aliases in /etc/hosts. Is there a way to use my current /etc/hosts file to do an ssh-keyscan instead of making a special list of hosts that (from what I've read) ssh-keyscan needs?
View 2 Replies
View Related
May 16, 2011
I just set up denyhosts and it worked properly the first time adding lots of ips to the hosts.deny.I then set it to run every 12 hours noon and midnight.I wanted to see if ran properly and I got all this.Does it look like its working?
Code:
May 15 12:00:01 hyrule CRON[14286]: (root) CMD (python /usr/share/denyhosts/denyhosts_ctl.py -c /usr/share/denyhosts/denyhosts.cfg )
[code]...
View 4 Replies
View Related
Oct 28, 2010
I am using denyhosts on a server so in a config file/etc/denyhosts.confthe following value is setQuote:DENY_THRESHOLD_INVALID = 3which as per their configuration file saysQuote:
DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
[code]...
View 1 Replies
View Related
Jan 7, 2010
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
View 3 Replies
View Related
Aug 6, 2010
As part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
View 1 Replies
View Related
Jun 25, 2011
I have been trying to setup IPSEC encryption between two linux boxes. I have a server application which runs on Linux Box A and a client application which runs on Linux Box B. The client sends the data to server. I have captured wireshark logs at both server and client end. In the wireshark logs I can see that the Box B send ESP packets to the Box A.
But the server Application running at Box A is is not able to get any packets. If I turn the policy off at Box B, Box B sends normal UDP data packets to Box A, but still the Server Application running at box A doesn't get any packets.( Expected behavior since policy at Box A enforces that all packets coming from Box B should be encrypted.)
If I turn the policy off at Box A and Box B both, the server application receives the unencrypted data which is also expected behavior. But when the policy is turned on at both the boxes the encrypted packets reach the Box A but are not delivered to the server application. If anyone has faced such issue please help me to debug this issue. I have attached the ifconfig and policy settings at Box A and Box B for your reference.
View 2 Replies
View Related
Feb 25, 2009
How can I track IPsec module's operations? Can I find such a log file or entries in Linux?
View 1 Replies
View Related
May 30, 2011
I found this IP address in my hosts.allowQuote:ALL: 119.42.68.232I cannot find any other evidence of intrusion.
View 4 Replies
View Related
Sep 7, 2010
I just downloaded the DenyHosts2.6python2.5.rpm for deny.hosts from sourceforge and would like to set it up. I normally use fish://, smb:// and ftp:// on the boxes on my lan. I already have files called hosts.allow and hosts.deny in the /etc folder. Will the rpm configure hosts.deny when first run?
View 1 Replies
View Related
Jan 18, 2010
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
View 1 Replies
View Related
Oct 21, 2010
I could not find any where the documentation the only best which I got was [URL]
My question is the following blog says to remove an IP from /etc/hosts.deny which denyhost has blocked
[URL] you need to have a directory /usr/share/denyhosts/data I do not find any such directory
Also when I tried to check tcp wrapper configuration as given here
[URL]
tcpdchk -v Cannot find your inetd.conf or tlid.conf file. Please specify its location.
what does the above output mean? How do I make sure denyhosts is doing its job?
View 2 Replies
View Related
Sep 2, 2010
Is there a 'plugin' for wireshark to analyze traffic and spot infected (windows) hosts? I have been using nepenthes with no luck. (and doubt all hosts are clean) is there some better way (other than using antivirus on each host)?
View 10 Replies
View Related
May 29, 2010
I have set up SSH and redirected the ssh server to listen on another port other than 22 for a bit of added security.
Now in hosts.deny I have:
ALL : ALL
In hosts.allow I have:
SSH : ip_address_of_client
I can no longer connect. I get the message: ssh_exchange_identification: Connection closed by remote host.
When I change hosts.allow to read:
ALL : ip_address_of_client
I can successfully connect the server.
However, I only want to allow SSH access in hosts.allow. What is the correct syntax?
I have tried and failed with each one of these:
SSH : ip_address:port_number
SSH2 : ipaddress
sshfwd-portnumber : ip_address_of_client
View 2 Replies
View Related
May 8, 2010
I'm running vanilla SuSE 11.1 on a vanilla server with Webmin 1.51 and Apache 2.2.
For a month now, I've been trying to get virtual hosts to work with Webmin without success. When I browse for the second site, I continually come up with the default host site.
just forget Webmin and modify the httpd.conf file directly. That defeats the purpose of trying to use Webmin.
View 9 Replies
View Related
Apr 20, 2010
Some time throughout the night last night eth0 stopped working entirely, I could not resolve dns or any thing. Oddly though eth0:1 and eth0:2 worked perfectly with a ping -c 10 -I eth0:2 xxx.xxx.xxx.xxx but still could not resolve domain names. My nameservers are good as i have tested them on my other machine. My setup had been working fine for quitte some time and i did not make any changes besides updating webpages, it is a server running Debian Lenny. Unfortunatly since eth0:1 was working for the most part i was trying to change the IP's in the config and accidentally killed the settings using webmin so I cant post to many details at the moment until my host for the dedicated gets my /etc/network/interfaces restored but in the meantime i have searched all over google to try to find an answer to the original problem but cannot so i would like to prepared for when the server is accessible again.
View 2 Replies
View Related
Aug 17, 2011
Well, as many proxy applications, GNOME Network Proxy Preferences only allow to ignore hosts. What I want to do is exactly the opposite. I only want to use the proxy for few sites. Is it possible to define only the allowed hosts in any way?
PS: I know FoxyProxy add-on for Firefox does this, but 1)I don't use Firefox and 2)I want the proxy settings system wide not only for browser.
View 9 Replies
View Related
Jan 2, 2011
Something is definitely odd here:Quote:
[rena@mercury:~ 500]
$ hostname
mercury
[code]....
View 9 Replies
View Related
Jan 26, 2011
Probably an easy (which means stoopid) question...I am trying to reroute a website using my hosts file so that it matches my servers certificate file for testing without effect dns and the live site.When I went to edit my /etc/hosts file it is non-existent. I have, I am assuming in it's place, hosts.allow and hosts.deny. Can anyone explain why I do not have a hosts file?
View 1 Replies
View Related
Jan 21, 2011
Is it fair to say that connLimit and hashlimit are very similiar on Linux i.e. while hashlimit caters to limits for groups of ports, they both set the connection rate limit per host? How in IPTables, do I configure a policy that limits connections on a port that encapsulates the total sum of all connections from all hosts? i.e. I do not want to allow more than 6000conn/minute for port range that is the sum of all connecting hosts?
View 3 Replies
View Related
May 15, 2010
I am getting a warning from /etc/hosts.deny
Code:
ALL: 192.168.1.3
ALL: 172.68.11.204
[code]...
View 14 Replies
View Related
Jan 17, 2011
[Code]....
What I want: multiple virtual hosts with ssl and only 1 ip address: In my example: server = 192.168.227.129
[Code]....
View 9 Replies
View Related
Aug 24, 2010
I have an IPsec VPN between 2 Ubuntu 10.04.1 Boxes which is working perfectly. However I cannot get any traffic to route down the VPN link.Interestingly, when checking the routing table, there isn't even a route list for the remote network. This is the same on both sides. Also there isn't an ipsec0 interface listed either.However, when a the command "sudo service ipsec status" is ran, it definately shows the tunnel is up and connected.
View 1 Replies
View Related
Sep 9, 2010
I install openswan on rhel6 and when i execute the command "service ipsec start "
it say:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Openswan IPsec apparently already active, start aborted
[Code].....
View 1 Replies
View Related
Feb 17, 2010
I am getting this error when I try to bring up IPSec Tunnel.Starting connection with command /usr/sbin/ipsec auto --up 'paycode-to-vivacom' ..
104 "paycode-to-vivacom" #7: STATE_MAIN_I1: initiate
003 "paycode-to-vivacom" #7: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "paycode-to-vivacom" #7: ignoring Vendor ID payload [FRAGMENTATION c0000000]
[code]....
View 3 Replies
View Related
Jul 21, 2009
I'm trying to perform a VPN lan to lan IPSEC connection. By my side, I have a server with 2 IP's, i.j.k.l (destined to act as a VPN gateway) and i.j.k.m (the server). I am a newbie. I don't know if this configuration is normal, but it's forced by our partner.
My configuration is:
OS: Fedora release 7 (Moonshine)
OpenSWAN version: Linux Openswan U2.4.7/K2.6.23.17-88.fc7 (netkey)
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
[Code]...
View 3 Replies
View Related
Feb 12, 2011
I've been using IPv6 on my local network and through a Hurricane Electric IPv6 tunnel. I've heard that one of the built in features of IPv6 is encryption, both scrambling the data and authenticating where the traffic came from. I've done some searching and heard of SWAN and Racoon, but some of the stuff I found is old and I would like to know what the easiest/best way to set up IPSEC for IPv6 is.
View 3 Replies
View Related
Jun 4, 2010
I had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24
[Code].....
View 2 Replies
View Related
Jun 4, 2009
i would like to establish a VPN connection which can hold either 'two' hosts..and secondly if that's done i would like to go for more number of users..Can i do it using IPSec services??if yes then how?
View 9 Replies
View Related
Jun 22, 2011
While I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
View 1 Replies
View Related
