Ubuntu Servers :: Lost Going Trough IPsec Documentation?
Jun 15, 2011
So I need to make an IPsec vpn. I've been told to use Shrew Soft. But I'm completely lost on where to begin. I've gone trough the documentation and stuff but I have no idea what to do next.
I can't find anything on the site how to install or configure the shrewsoft shizzle. The only thing I could use is something about ipsec-tools because all the rest is using a graphical interface (which ofc I'm not seeing how I'm using a server edition).
I successfully configured a VPN using IPSec(Openswan) and xl2ptd. While roughly following this guide (among countless others): [URL]
The VPN-Connection works fine, connecting to it is also a swirl, I can reach all that I want in the network, and also the gateway to the Internet works - everything being routed through that VPN.
Now my problem is actually the next steps, and I didn't succeed finding the right result on any possible search:
a) I want to limit, that the VPN-Connection is only used for distinct connections to hosts, that aren't in a "company subnet", but the IP's are publicly available. (Example: The Target-IP 8.8.8.8 allows per iptables, that only my VPN-Host 1.2.3.4 accesses it via SSH, and thus I only can access that Target-IP via SSH when I'm on the VPN). When actually browsing to the ubuntu-website, I want, that NOT the VPN-Connection is used but rather my normal connection (as a reference: i'm on a Windows-Client - not my choice, btw.)
b) I want to have several such "limitations" grouped, and give users 'access-rights' to certain hosts (Examples: Admin gets access to all on all ports Testers get access to some machines on distinct ports CEO gets access only to the mailserver via POP3 or IMAP
I'm setting up backuppc for backing up over ftp. I have been following this guide: [URL].. The difference is I need to use FTP to backup as opposed to ssh / rsync.I have followed the guide and instead of using
Code: $Conf{XferMethod} = 'rsync'; I am using Code: $Conf{XferMethod} = 'ftp'; as per: http://backuppc.sourceforge.net/faq/BackupPC.html
[Code]...
For linux/unix machines you should not backup "/proc". This directory contains a variety of files that look like regular files but they are special files that don't need to be backed up (eg: /proc/kcore is a regular file that contains physical memory). See $Conf{BackupFilesExclude}. It is safe to back up /dev since it contains mostly character-special and block-special files, which are correctly handed by BackupPC (eg: backing up /dev/hda5 just saves the block-special file information, not the contents of the disk).
Alternatively, rather than backup all the file systems as a single share ("/"), it is easier to restore a single file system if you backup each file system separately. To do this you should list each file system mount point in $Conf{TarShareName} or $Conf{RsyncShareName}, and add the --one-file-system option to $Conf{TarClientCmd} or $Conf{RsyncArgs}. In this case there is no need to exclude /proc explicitly since it looks like a different file system.
Next you should decide whether to run tar over ssh, rsh or nfs. Ssh is the preferred method. Rsh is not secure and therefore not recommended. Nfs will work, but you need to make sure that the BackupPC user (running on the server) has sufficient permissions to read all the files below the nfs mount.
Ssh allows BackupPC to run as a privileged user on the client (eg: root), since it needs sufficient permissions to read all the backup files. Ssh is setup so that BackupPC on the server (an otherwise low privileged user) can ssh as root on the client, without being prompted for a password. There are two common versions of ssh: v1 and v2. Here are some instructions for one way to setup ssh. (Check which version of SSH you have by typing "ssh" or "man ssh".) Everything seems to be working correctly except when a backup is executed I get this:
On the office we have a Firewall/VPN infrastructure. Everybody connects to internet trough an Access Point (Lynksys RWT120N), which, in turn, connects to a WatchWard/Firebox red box. I suppose this is the equipment that does the VPN stuff. Finally, the red box connects to a DSL modem from our ISP.The problem is: Everybody on the office can connect to the AP and surf the internet without any issues, excepting me when I connect with ubuntu 10.10. I have windows on the same machine and I can access the internet without problems.
What I have seen so far is that Network Manager associates with the AP, gets what I would consider all the expected information from DHCP, but internet connectivity is none.For "expected information from DHCP" i mean: IP address, gateway, and DNS.I can ping my assigned IP address, the gateway and even other machines in the same network. I cannot ping the DNS or other external IP addresses.
i know it all sounds weard but ive been searching google so much now.. look the setup is kinda straight forward. We got a test server for websites. This server has lamp server configured. Now i have a Website in the apache www folder. From here on everything works fine in http://localhost or 127.0.1.1 etc etc. also i have configured virtualhosts. This so we can have a live enviroment but its actually a test enviroment.
Now i try to connect trough the lannetwork! so i goto my windows client and hit in the browser :http://(serverip+port) and also tried http://(serverip) When i do this i get a 403 forbiddin acces. I solved that problem by deleted a line in the apache2.conf wot was called : virtualHost xxx.xxx.xxx.xx: xx
Now Hes loading the page but says he cant connect to 127.0.1.1 Any1 knows a solution? (sorry for my bad grammer btw )
I'm quite new to ssh tunneling but I now want to make one of my machines at home accessible to my lan network here. I used the following command to make it available trough 127.0.0.1:5555(lo interface):
ssh -L 5555:192.168.0.15:80 me@xx.xx.xx.xx -N
now I want to make it available to eth0 on 192.168.1.40:5555 How do I do this?
I have two NIC, one is ethernet and second is via modem. On the eth0, most of no standard ports are blocked, so I need to connect to specified port on some IP, through ppp0 (modem), to use ssh connection on non standard port to that IP. For other ports on that IP and all other IPs I want to use eth0.
seems that the secret way to manage sourceforge.net files without pain and blood is not revealed yet!I uploaded some files in my sourceforge project named blackwar .I want to connect to my projects folder in sourceforge.net using filezilla or gftp.I want to see my files there and manage them.
I have Lenovo SL500 with ubuntu 10.10. Also i have installed latest GeForce 9300M GS drivers from NVIDIA site. NVTV is also installed. When i want to connect to LG 32LE4500 trough HDMI i get no singnal message. I tried to configure with nvidia-settings but no positive results. Also i have tried with bigger SAMSUNG screen but no results... am i doing something wrong? Or, is this problem with NVIDIA (or ubuntu) HDMI support. If it is, where can i find information when will be bigger support for HDMI with NVIDIA and ubuntu?
I was using Ubuntu 9.10 and was using fireftp ( firefox plugin ) to do some ftp operation. And then I noticed firfox is fozen so I reboot my pc by switching off the power ( restart doesn't work ). When I turn it back on again, no GUI anymore. I was taken to ttyl login commend.
i want to access to my samba shares index (or contents) trough http. something like this: [URL] i read something about aliases...i wrote this in the httpd.conf:
I just restarted my server (Ubuntu 9.04 server, running on ESXi 4.0) and while copying files onto the server using samba I got strange problems and the connection was lost. When I rebooted the total system, so ESXi as well as Ubuntu Server I did find problems on my RAID disk.
The directory, where the new files were added I have a lot of files, but a lot of them do not have any info except their name:
Both mirror disks are still functioning and I can still add/delete files, from the server, from other LINUX systems and from other Windows systems via samba.
I upgraded my Edubuntu 10.10 LTSP server to 11.04 and I've lost my network. The server boots fine but none of the workstations connect. They start the boot process but hang-up as it starts to load the GUI.The screen on-which the computers hang displays Ubuntu 10.10.Do I have to manually update the LTSP image?
We have a small network consists of 5 servers, providing SSH for several groups of users. We want the users (e.g., me) be able to log in to any of the servers with their own account. So, we define the user accounts in a server that runs NIS service, and configure all the other servers as NIS clients. We also defined several groups for different user groups, so some users belong to several groups. All the user information is populated by NIS. This setup is working in Ubuntu 8.04, AMD64.
Now I upgrade the servers to Ubuntu 10.04 64Bit. The problem is, now if I log in to one of the NIS client servers using SSH, my group membership is lost. However, when I log in directly to the server, the group membership is retained. For example, in the /etc/group file, I defined the user tliu as a number of awww group:
Running Ubuntu headless server 9.10 with a RAID 1 on ext3. After a power failure (UPS power button was hit accidentally), I logged into the system via ssh and found that I had lost all data since my last reboot, which was 4 months ago. It was as if I had a perfect snapshot of my machine from 4 months ago. Everything, database files, logs, all report as if the machine had been off for 4 months. Fortunately, I have quality backups of all my data so I am able to recover, but I have never had such a problem before and I cannot figure out what happened.
I recently installed Ubuntu Server 10.04.2 and configured it to be used as a network storage device. I installed it on an 80GB HDD initially. Everything was fine -- I could read and write to the drive and I could set permissions from my Windows XP machine.I decided I wanted a bigger HDD. It had taken a few hours of configuration to get it to work the first time, so I didn't want to go through that again. I instead created a clone with Clonezilla and then slapped the image onto a 1.5TB drive. I then used gparted to resize the partitions.
Everything seems fine from the server side of things (I'm fairly new to it, so I could be missing something, but it all looks good). The server correctly sees that I am using 2-3GB of the 1.5TB drive. It sees the rest of the space as free and part of the primary partition.Here comes the problem -- Windows isn't reading the drive space correctly. It sees that 80GB of the space is taken (the size of the original HDD) instead of 2-3GB. I'm not sure if it will actually let me write to the space or not. But whether the reading is simply cosmetic or if Windows really thinks it's taken, I would like to fix it either way.
I have a problem with a few up-to-date installations of CentOS 5.5. I have lost all md (software raid) devices on them some point in the past. They were working ok.
Now the 2 disks are seen as two separate disks, with no link between them.
I've been using IPv6 on my local network and through a Hurricane Electric IPv6 tunnel. I've heard that one of the built in features of IPv6 is encryption, both scrambling the data and authenticating where the traffic came from. I've done some searching and heard of SWAN and Racoon, but some of the stuff I found is old and I would like to know what the easiest/best way to set up IPSEC for IPv6 is.
I have installed FC13 on my laptop and set it up as a development server. Here is my issue when passing variable from one page to the next it gets lost. My PHP includes work DB connect string works from the include.
I have a weird problem here with a 9.04 server. We have a raid 5 disk formatted in EXT4 which remounted automatically when we accessed to the lost+found folder which is in the root of that disk.
I tried to delete it but I can't. It's a bit annoying because I have to prevent all users and backups to access to that folder.
I have an IPsec VPN between 2 Ubuntu 10.04.1 Boxes which is working perfectly. However I cannot get any traffic to route down the VPN link.Interestingly, when checking the routing table, there isn't even a route list for the remote network. This is the same on both sides. Also there isn't an ipsec0 interface listed either.However, when a the command "sudo service ipsec status" is ran, it definately shows the tunnel is up and connected.
I install openswan on rhel6 and when i execute the command "service ipsec start "
it say: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled ipsec_setup: Openswan IPsec apparently already active, start aborted
I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
I've set up two security associations(in and out) on two hosts, and then set up two policies per host that should filter traffic to those SA's. Yet when I try to ping one host from the other I get no response, meaning that the filters on one side work and drop unprotected packets, but both hosts are configured to communicate using ipsec. Can anyone point me in the right direction?
Code: ip xfrm state add src 192.168.77.23 dst 192.168.77.24 proto esp spi 0x53fa0fdd mode transport reqid 16386 replay-window 32 auth "hmac(sha1)"
Maybe the most stupid question you guys ever heard, but i do not find the solution.Now that i have acces on the netbook i would like to share a folder on my desktopcomputer so i can acces it with the netbook when im in the bedroom.(moviefolder)But how do i share a folder in Fedora 15?
Username and password are the same on desktopcomputer and netbook. desktop computer is named koen-pc netbook is named koen-net
I'm trying to perform a VPN lan to lan IPSEC connection. By my side, I have a server with 2 IP's, i.j.k.l (destined to act as a VPN gateway) and i.j.k.m (the server). I am a newbie. I don't know if this configuration is normal, but it's forced by our partner.
