user:nsr1:open_swan_vpn:discussion
November 1 2010
--- Log opened Mon Nov 01 23:18:52 2010
Lastlog:
13:00 -!- nox [~user@10.81.1.233] has joined #lair
13:00 -!- Topic for #lair: LAIR chat
13:00 -!- Topic set by -Server- [] [Mon Sep 20 11:59:52 2010]
13:00 [Users #lair]
13:00 [ Ender] [ jzimmer5] [ Riptuer] [ wedge]
13:00 [ Ian ] [ nox ] [ tracer ]
13:00 -!- Irssi: #lair: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal]
13:00 -!- Irssi: Join to #lair was synced in 2 secs
13:01 < wedge> welcome back
13:01 < nox> Good afternoon
13:01 < nox> Thanks
14:00 -!- You're now known as _nox
15:57 -!- You're now known as nox
15:57 < nox> Grrrrrr
15:57 < nox> Openswan has frustrated me for now
15:57 < nox> I'll have to take a break and get back to this guy after dinner
15:58 < nox> I think I understand the theory of what needs to be done
15:59 < nox> I've compiled my own copy of strongswan
15:59 < nox> This version doesn't require kernel modifications
15:59 < nox> sweet
15:59 < nox> and it lets me enable NAT traversal
15:59 < nox> So that all works
16:00 < nox> but somewhere either in the Openswan configs or l2tp config files I missed something
16:00 < nox> The syslog doesn't even show my iPhone trying to connect
16:00 < nox> Grrrr
16:00 < nox> But I feel pretty confident that I will get it
16:01 < nox> Interesting thing- Openswan can route to OpenVPN
16:01 < nox> so we could provide an OpenSwan gateway for iOS devies and keep using OpenVPN
16:01 < nox> I think that could be cool
16:02 < nox> DSLab is joined to LAIR through an OpenVPN tunnel, right?
16:02 < nox> Anyway, just thinking about stuff
16:02 < nox> I'll be back later tonight
16:03 < nox> I think Herb is going to join in on the VPNing fun, maybe we'll get something going
16:03 < nox> Also I'm going to spend some time with the db server tonight
16:03 < nox> I think I might be pretty close with that
16:03 < nox> :)
16:03 -!- You're now known as _nox
18:07 < wedge> yes-- OpenVPN tunnel connects DSLAB and LAIR
18:36 < wedge> regarding logs... where are you trying to run openswan? on juicebar?
19:30 < _nox> I'm sticking clear of making any changes to production machines until I can prove OpenSwan
19:31 < _nox> I'm running it on Athens01
19:31 < wedge> and where is your client coming from?
19:31 < _nox> The client is my iPhone who has joined UFO
19:31 -!- You're now known as nox
19:33 < wedge> I wonder if, the reason you are not seeing any log messages, is because the server is physically not receiving any packets?
19:33 < wedge> firewall on UFO?
19:33 < nox> Yeah, that's what I'm wondering too
19:33 < nox> hmm that's a good point, I can definitely see that apache server from the iPhone
19:34 < wedge> I know if you were going through juicebar, the firewall rules WOULD block it by default
19:34 < wedge> we'd have to add a rule to specifically allow that traffic on a particular interface
19:35 < nox> But UFO is already on the inside, wouldn't that take care of the firewall?
19:35 < wedge> UFO may be running a firewall
19:36 < wedge> it is designed to by default
19:36 < nox> That's a good though, I was wondering if we could run openswan on ufo itself but I hadn't looked into that just yet
19:37 < wedge> for example, there's a setting to allow remote access to the administrative web interface from networks outside the ones it serves
19:37 < wedge> it is typically disabled by default. That is handled by its firewall.
19:38 < wedge> what type of traffic is openswan looking to pass?
19:38 < nox> http://wiki.openswan.org/index.php/Openswan/ConfFirewall
19:38 < wedge> probably something at the IP level? I seem to recall not much going on at transport level
19:38 < nox> It looks like protocol 50, 51 and some UDP
19:39 < wedge> what are we running on UFO... DD-WRT?
19:40 < wedge> ultimately, you won't want to run OpenSWAN on UFO... because all the traffic will be coming from the outside network, and hitting juicebar
19:40 < nox> UFO is running ddwrt, yup
19:41 < nox> ok, so you think the load would be too much (and unnecessary) on UFO
19:42 < wedge> I don't think it would be too much... UFO just doesn't deal with the network traffic you'd be using OpenSWAN for
19:42 < wedge> it is inside, where you want OpenSWAN intercepting outside traffic (ie juicebar's domain)
19:43 < nox> Okay
19:43 < wedge> the current suspicion is that UFO might be unintentionally blocking the traffic, preventing you from testing
19:43 < nox> I have openswan on the inside right now just to test it out
19:43 < wedge> yeah
19:43 < nox> It doesn't actually make much sense to VPN in when you're already on the inside
19:43 < nox> ;)
19:43 < wedge> but you said you weren't getting any log messages
19:43 < wedge> correct :)
19:44 < nox> correct! I'm looking into the firewall now
19:45 < nox> hmm ok so all the firewalls are off and have been off
19:45 < nox> And all VPN passthrough settings are enabled and have been enabled
19:46 < wedge> have you tried doing a tcpdump to see what traffic might be arriving at Athens0?
19:46 < nox> not yet
19:47 < nox> What do you think this means:
19:47 < nox> Athens01 reports an address of 10.81.1.233
19:48 < nox> I can access it via that address on other machines on the network
19:48 < nox> when I ping athens01 while connected to UFO I can an address of 208.68.143.55
19:48 < nox> *I get an
19:48 < nox> But the host isn't accessible via that address
19:49 < nox> and the 10.81 address isn't reachable
19:49 < wedge> DNS settings are causing that to happen
19:49 < wedge> the 208.68....
19:49 < nox> So there's the answer from UFO athens01 isn't accessible
19:50 < wedge> I can't seem to get in to 10.81.1.233, is it using a different password?
19:51 < nox> You should see observium @ http://10.81.1.233/
19:51 < nox> It's a piece of software I was toying with but didn't work out
19:52 < wedge> I was trying to ssh into the machine as root
19:52 < wedge> if it is ubuntu, probably disabled by default
19:52 < nox> It is ubuntu
19:52 < nox> the user is called user
19:52 < nox> password is standard
19:54 < nox> I think the whole problem is that there is no path from ufo -> athens01
19:54 < wedge> hmm indeed
19:55 < wedge> yeah, ufo doesn't seem to be happy with traffic coming to it at all
19:56 < wedge> I can't ping it from juicebar, athens01, or the LAIR end of the VPN
19:56 < nox> But I can connect to it and get out to the internet
19:56 < wedge> are you able to get a console on it (ie via SSH)?
19:56 < nox> It has an IP 10.81.1.5
19:56 < nox> Err 10.81.5.1
19:58 < wedge> if you can, copy and paste: netstat -nr
19:58 < nox> It looks like the physical connection is UFO (internet port) -> dslab1 (port 19(
19:59 < nox> Working on the netstat
19:59 < nox> I'm talking to you from one machine and on UFO on another
20:00 < nox> http://gist.github.com/659081
20:01 < wedge> that's on your Mac, right?
20:01 < nox> Yup
20:01 < wedge> I need to see that for ufo itself
20:01 < nox> So shh into UFO?
20:01 < wedge> yeah
20:01 < wedge> if we have that set up
20:02 < nox> telnet is setup but netstat isn't available
20:03 < wedge> how about: ip route show
20:04 < nox> http://gist.github.com/659084
20:04 < wedge> ah
20:04 < wedge> there's our problem
20:04 < wedge> ufo is on the CSci subnet
20:04 < nox> but it's connected to port 19 on dslab1
20:06 < nox> Should I move it over to the switch where we have our workstations setup?
20:06 < nox> On that switch everyone definitely is getting an internal address
20:06 < wedge> yes
20:07 < wedge> I will admit I am puzzled by why it is getting a 137.238.8.x address
20:07 < wedge> what else is on dslab1 ?
20:07 < wedge> we're talking one of the netgear switches, right?
20:07 < nox> Yeah dslab1 is one of the netgear switches
20:08 < wedge> are other devices on the dslab1 switch getting 10.81.1.x or are they also getting 137.238.8.x addresses?
20:09 < nox> it looks like sparta is on dslab1
20:09 < nox> also sparta04 is making some bad spinny clicky noises
20:09 < nox> sounds like a sick drive
20:10 < wedge> are you sure it isn't an internal fan making contact with wires?
20:10 < wedge> Philip assembled one that did that, and I don't recall if he ever figured out which one it was to fix
20:10 < nox> No, I just heard bad noises and came back to the keyboard
20:11 < wedge> yeah, sparta00 is definitely getting a 10.81.1.x address
20:11 < nox> alright I'll add looking into it to the whiteboard
20:11 < nox> it's not sick in any way on the monitor
20:11 < wedge> I don't see anything immediately awry on sparta04
20:11 < wedge> that's just *weird*... it shouldn't be able to work
20:11 < wedge> has ufo been reset anytime recently?
20:11 < nox> I just reset and moved UFO
20:12 < nox> reset, like the software? nope
20:12 < wedge> reset as in power cycle
20:12 < wedge> ah
20:12 < wedge> there we go
20:12 < wedge> I can ping ufo now
20:14 < nox> But now I don't get the internet through ufo
20:14 < wedge> can you give me another: ip route show
20:14 < wedge> on ufo?
20:14 < nox> Yeah on UFO
20:14 < wedge> yeah, give me another :ip route show
20:14 < wedge> for ufo
20:14 < nox> But UFO definitely sees juicebar in the routing table
20:15 < nox> Well that doesn't matter, I can see 10.81.1.233 from UFO
20:15 < nox> that's what I'm working on :)
20:15 < nox> Ok, let's try openswan
20:16 < wedge> getting internet might be a simple fix of a route addition
20:16 < nox> Oh and no luck on VPN
20:17 < wedge> try accessing the internet from your machine on UFO
20:17 < nox> Nope, the mac on UFO doesn't get to the internet
20:18 < wedge> well, no traffic is hitting juicebar
20:18 < wedge> I suspect a route problem
20:18 < wedge> if you could get me a: ip route show
20:19 < wedge> from ufo's console, we can ascertain it...improper routes could also still be preventing your OpenSWAN experiment from working
20:19 < nox> hmmm I can't post to github
20:20 < nox> What was the route command, again? I just did route but it may not be what you want
20:20 < wedge> ip route show
20:22 < nox> gist.github.com/659108
20:23 < wedge> ok, on your mac on ufo's network, try to access: http://143.66.50.18/
20:23 < wedge> tell me if you get anything
20:23 < nox> Lab46: The Wiki
20:24 < wedge> ok, networking works, DNS is broken
20:24 < wedge> on the UFO side of the network
20:25 < nox> Alright, what am I looking for?
20:25 < wedge> very weird I'm not picking up any traffic
20:26 < wedge> do me a favor, try refreshing that page
20:26 < wedge> on your mac
20:26 < wedge> just trying to pick up traffic in a tcpdump
20:26 < nox> You're still alive
20:26 < wedge> yeah... I'd check DNS Settings on UFO
20:26 < wedge> make sure the DNS Server is: 10.81.1.1
20:26 < wedge> searching dslab.lan
20:26 < wedge> domain dslab.lan
20:27 < wedge> whatever the options are called
20:27 < wedge> if you want additional DNS:
20:27 < wedge> 10.80.2.1
20:27 < wedge> 10.80.1.1
20:27 < nox> Local DNS is set to 10.81.1.1
20:28 < nox> Static DNS 1 is set to 10.81.1.1
20:28 < nox> ditto for DNS 2
20:28 < nox> DNS 3 is 10.81.2.1
20:28 < wedge> well, that doesn't exist..
20:28 < wedge> shouldn't be throwing things off though
20:28 < nox> DNS 3?
20:28 < wedge> yeah
20:28 < wedge> 10.80.2.1
20:29 < nox> Is there a 10.80.1.1?
20:29 < nox> Just curious
20:29 < wedge> yes
20:29 < wedge> 10.80.1.1
20:29 < wedge> and 10.80.2.1
20:29 < wedge> you had written 10.81.2.1
20:29 < wedge> note the 81 instead of the 80
20:29 < nox> so all DNS is in the 10.80 range
20:30 < nox> There is no 10.81.1.1?
20:30 < wedge> there is
20:30 < wedge> that's the only one in 10.81
20:30 < wedge> 10.81.1.1
20:30 < wedge> 10.80.1.1
20:30 < wedge> 10.80.2.1
20:31 < nox> Hark!
20:31 < nox> The internet
20:31 < wedge> :)
20:31 < wedge> at least one problem solved!
20:31 < nox> I changed 10.81.1.1 to 10.80.1.1 and rebooted
20:31 < nox> and then the internet worked
20:31 < nox> Why would that do it?
20:31 < wedge> why no OpenSWAN... as far as I can tell... it shouldn't be prevented from working
20:31 < wedge> might have been a stale value
20:32 < wedge> it *should* work with 10.81.1.1, that's what the rest of the DSLAB is using for DNS
20:32 < nox> Hmmm weird
20:32 < nox> but that's one problem gone
20:32 < nox> Er
20:32 < nox> maybe
20:33 < nox> Now I can't get to 10.81.1.233
20:33 < nox> through ufo
20:33 < wedge> can you ping 10.81.1.1
20:34 < wedge> on your mac
20:34 < nox> Nope
20:34 < wedge> hook me up with another: ip route show
20:34 < wedge> on ufo's console
20:34 < wedge> heh, I can't ping ufo anymore either
20:35 < nox> I can still get to the IP for the wiki
20:36 < wedge> something's not right... check and see if it is back on the CSci subnet
20:36 < nox> UFO is on the CS domain
20:36 < wedge> why, I have no idea (or how)
20:36 < nox> http://gist.github.com/659123
20:36 < wedge> big ol' W-T-F
20:36 < nox> :D
20:37 < nox> Amen to that
20:37 < wedge> I am honestly at a loss, based on what I know, this is defying the impossible
20:37 < wedge> let's try some basic debugging
20:37 < nox> okay
20:37 < wedge> on the WAN port on UFO, where is that plugged into?
20:37 < wedge> should be the DSLAB1 switch
20:37 < wedge> (or DSLAB2 switch-- some netgear internal DSLAB switch)
20:37 < nox> the WAN port is plugged into port 19 of the same switch that services all of the athens workstations
20:37 < wedge> ok
20:37 < nox> it's an unnamed DELL powerconnect
20:38 < wedge> how about the LAN ports?
20:38 < nox> Nothing going into any of them
20:38 < wedge> woah... what is an unnamed DELL powerconnect?
20:38 < wedge> the switch that services the athens workstations?
20:38 < wedge> the Dell powerconnect is OUTSIDE
20:38 < nox> It's the switch that services the athens workstations, I don't think we can connect to the switch
20:38 < nox> The switch is on the inside
20:38 < nox> the machine I'm typing on is on this switch
20:38 < wedge> did you move it to the inside?
20:39 < wedge> that switch used to be where juicebar (and bob) got their external connections
20:39 < wedge> it was configured for 137.238.7.x, and had no configuration for inside
20:39 < nox> Are you sure? There's another Dell switch in the back
20:39 < nox> I'm on the dell switch on this athens and I have an IP of 10.81.1.233
20:39 < wedge> is it a 16-port Dell switch?
20:40 < wedge> the dumb, 16-port switch by the G5?
20:40 < nox> yes
20:40 < wedge> ok... so different Dell switch
20:40 < wedge> I thought you said it was plugged into the big 24-port Dell switch behind the video wall
20:41 < nox> It was, when we started the night
20:41 < nox> then a ways back I moved it closer to me physically
20:41 < nox> we had the same problems
20:41 < wedge> :)
20:41 < nox> :)
20:41 < wedge> ok... so that Dell 16-port switch.. does it plug into (ultimately) one of the two netgear switches?
20:42 < nox> port 17 on dslab 1
20:42 < nox> so yes
20:42 < wedge> ok
20:43 < wedge> something is hooked into the CS subnet
20:43 < nox> Didn't we have a sparta get a 137 address recently too?
20:44 < nox> Ok
20:44 < wedge> you might want to trace all the connections into that 16-port dumb Dell switch, make sure there aren't any accidental connections to the wall
20:44 < wedge> it doesn't make sense, but if there's a connection, rogue DHCP could be getting through
20:44 < wedge> and some devices getting caught up in that
20:45 < wedge> I'd expect there to be more problems if that were the case, but it is something to look for at any rate
20:45 < nox> I only see one connection to the wall in the corner by the video wall
20:45 < nox> although it's a bit of a mess
20:45 < nox> let me go look some more
20:46 < wedge> the way it should be: the ONLY connection from the wall should go to the 24-port Dell switch
20:49 < nox> Still alive?
20:49 < nox> Am I still here?
20:50 < wedge> as far as I can tell
20:50 < nox> Weird
20:50 < nox> I shouldn't be
20:50 < nox> I lost power on the switch
20:50 < nox> that this is connected to
20:50 < wedge> not necessarily the end of the world
20:50 < wedge> networking can be resilient like that
20:50 < nox> I guess, or this is heaven
20:50 < nox> but anyway
20:51 < nox> to the DELL powerconnect there was another outside connection
20:51 < nox> So there were 2!
20:51 < wedge> and you disconnected one of them, or are they both still plugged in?
20:52 < wedge> I seem to remember a white cable (once upon a time) being the one for the outside connection
20:52 < wedge> but that could easily have been changed over time
20:52 < nox> I pulled the connection from the DELL powerconnect port 3 to the wall
20:52 < wedge> ok... and we're still operational
20:52 < nox> There is still a white cable going into a mess of cables over behind the VWall
20:52 < nox> Rebooted UFO
20:52 < wedge> I'm pinging again
20:53 < nox> I get internet and I can ping node132
20:53 < wedge> so it is back
20:53 < nox> It's back
20:53 < nox> When we were cleaning the lab and setting up workstations there were a lot of people moving computer and plugging and unplugging
20:53 < nox> I'm sure this cable ended up plugged in by someone because it seemed like the right thing
20:53 < nox> heck it could have been me
20:54 < wedge> what's important is that the mystery (hopefully) has been solved
20:54 < nox> indeed!
20:55 < nox> There is now a route from the iPhone to 10.81.1.233 for http
20:55 < nox> But VPN fails :(
20:58 < nox> It's hard to know what's going on because there's so much noise on a tcpdump
20:58 < wedge> ufo stopped pinging
20:59 < nox> entirely my fault, I kicked the power cord out
20:59 < nox> It'll be back in just a second
20:59 < wedge> ok, just paranoid thinking the problem had returned
20:59 < wedge> yep, it is back
20:59 < nox> If you're working with VPN, the shared secret is cookie
21:00 < nox> the username is nsr1 and will accept any password
21:00 < wedge> ok
21:01 < wedge> where are you tcpdumping, on athens01?
21:01 < nox> Even if I'm tailing /var/log/messages I'm not seeing anything VPNish
21:01 < nox> yeah, tcpdump is on athens01
21:01 < nox> To setup the VPN I followed this guide: http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
21:01 < wedge> what is the IP of your client device?
21:01 < nox> 10.81.1.101
21:02 < nox> (iPhone)
21:02 < wedge> 1.101, or 5.101?
21:02 < nox> good catch
21:02 < nox> 10.81.5.101
21:02 < wedge> try connecting to the VPN with the iPhone
21:02 < wedge> I'm doing a tcpdump
21:03 < nox> Alright here we are
21:03 < nox> fail
21:03 < nox> Again
21:03 < wedge> yeah, seeing nothing
21:03 < nox> fail
21:04 < nox> ipsec is definitely running
21:05 < nox> As is xl2tpd
21:07 < nox> brb
21:09 < nox> back
21:12 < wedge> your iPhone is on ufo's network?
21:12 < nox> Yeah
21:12 < wedge> for server, you put in 10.81.1.233
21:13 < nox> Yup: http://picasaweb.google.com/nixterrimus/Lab#5534754249785342002
21:15 < nox> I see that ubuntu's built in firewall is deactivated
21:15 < nox> that's good
21:16 < wedge> shouldn't be preventing traffic (but you never know)--- you have nat_traversal enabld in /etc/ipsec.conf
21:16 < wedge> might want to flip that to a no and restart it
21:16 < wedge> at the moment, you're not nat traversing
21:16 < wedge> everyone has a "real" IP
21:17 < nox> I think nat_traversal is supposed to be enabled in ipsec.conf and it looks like it is
21:17 < nox> I built strongswan with the nat_traversal enabled
21:18 < nox> I think it needs to be enabled for the VPN to work, should I try it with nat_traversal off?
21:21 < wedge> yeah, nat_traversal is an option to enable openswan to work with a connection through a NAT
21:21 < nox> Alright, let's try flipping it to off and restarting strongswan
21:21 < wedge> like a roadrunner connection with only 1 IP serving a network of machines behind it
21:21 < wedge> like I said, I don't see how it could be preventing operation, but it is something out of place, so worth trying
21:22 < nox> Gotcha, won't that eventually be us when we have 1 137.238 address as an entry?
21:22 < nox> Alright, I
21:22 < nox> Alright, I've turned it off and rebooted
21:22 < nox> and still no luck with the iPhone
21:22 < wedge> yeah, we will then
21:23 < nox> but right now, not a big deal
21:30 < nox> Ok
21:30 < nox> There is something happening
21:30 < nox> Listening on port 500 or 4500
21:30 < nox> sudo tcpdump -i eth0 -n -p udp port 500 or udp port 4500
21:30 < nox> I'll br back right back
21:42 < wedge> I'm going to head out shortly
21:42 < wedge> if you are back soonish... I'm tcpdumping with those parameters... give it a shot, I'd like to see what's happening
21:43 < nox> Alright I'm going trying to connect
21:43 < nox> and making noise
21:43 < wedge> indeed
21:44 < wedge> so traffic is being received
21:44 < wedge> and sent
21:44 < nox> yes
21:44 < wedge> did this happen before the nat_traversal?
21:44 < nox> I don't know I didn't learn about this command until just before I sent it to you
21:45 < nox> should I change the nat_traversal parameter?
21:45 < wedge> interestingly, it would appear some NAT'ing may be happening on the UFO side
21:45 < wedge> as the traffic is coming from 10.81.1.246
21:45 < wedge> which is UFO's presence on the dslab.lan 10.81.1.x network
21:46 < nox> But since ipsec is good with anyone connecting that shouldn't matter should it?
21:46 < wedge> correct
21:46 < wedge> I do wonder if traffic is being passed back to the iPhone as it should be
21:47 < wedge> are you getting any indication on the iPhone as to any level of communication?
21:47 < nox> No, it's pretty useless as an indicator
21:47 < wedge> might be worth setting up your Mac to do it
21:47 < wedge> see if it can generate you some client side log messages
21:47 < nox> it just says Connecting... and then The l2TP-VPN Server did not respond. Try reconnecting or contact your admin, etc
21:48 < wedge> yeah, IF ufo isn't properly routing the return packets back, I could see that being an issue (needing some "firewall" rules, if only for NAT)
21:48 < wedge> but, we don't have enough information to make that determination
21:49 < wedge> trying it with your Mac, if it can produce logs, might be more telling
21:49 < wedge> hmmm
21:49 < wedge> something different
21:49 < wedge> port 1?
21:49 < nox> The mac is talking
21:49 < wedge> purely 1 way
21:50 < wedge> at least, not talking back on 500 or 4500
21:50 < wedge> two-way.... same as before... any logs on the Mac to speak of?
21:51 < nox> http://gist.github.com/659161
21:51 < nox> nothing really interesting
21:51 < nox> basically "connection failed"
21:51 < wedge> hmmm
21:53 < nox> I is in and R is return?
21:54 < wedge> could be
21:55 < wedge> how are you restarting/starting openswan?
21:55 < wedge> some /etc/init.d script?
21:55 < wedge> or something more manual?
21:55 < nox> init.d
21:55 < wedge> just xl2tpd ?
21:56 < wedge> does that handle everything?
21:56 < nox> ipsec and then xl2tpd
21:57 < wedge> try connecting again
21:58 < nox> Just tried the mac
21:58 < nox> same error messages in the log
21:58 < wedge> hmmm
21:59 < nox> the ipsec command looks interesting
21:59 -!- Irssi: Pasting 7 lines to #lair. Press Ctrl-K if you wish to do this or Ctrl-C to cancel.
21:59 < nox> sudo ipsec status
21:59 < nox> [sudo] password for user:
21:59 < nox> 000 "L2TP": 10.81.1.233:17/1701---10.81.1.1...%any:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
21:59 < nox> 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
21:59 < nox> 000
21:59 < nox> Security Associations: none
21:59 < nox> Not entirely sure what the output means but it looks like there's an ipsec tunnel available
21:59 < wedge> where you seeing that?
22:00 < wedge> on the mac?
22:00 < nox> on athens01
22:00 < wedge> hey... did you look in /var/log/auth.log ?
22:00 < wedge> there's some interesting things in there about no preshared key found
22:00 < nox> Where do you see that?
22:01 < wedge> tail -f /var/log/auth.log
22:01 < wedge> and try connecting
22:01 -!- Irssi: Pasting 8 lines to #lair. Press Ctrl-K if you wish to do this or Ctrl-C to cancel.
22:01 < nox> sudo ipsec secrets
22:01 < nox> 002 forgetting secrets
22:01 < nox> 002 loading secrets from "/etc/ipsec.secrets"
22:01 < nox> 002 loading secrets from "/var/lib/strongswan/ipsec.secrets.inc"
22:01 < nox> 002 loaded private key file '/etc/ipsec.d/private/athens01Key.pem' (1675 bytes)
22:01 < nox> 002 loaded shared key for 0.0.0.0 10.81.1.223
22:01 < nox> 002 loaded shared key for 0.0.0.0 10.81.1.233
22:01 < nox> 003 "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin with format prefix): \342\200\234cookie"
22:01 < nox> Line 12
22:01 < nox> :)
22:01 < wedge> it's something
22:02 < nox> 10.81.1.233 %any: PSK “cookie"
22:04 < nox> after redoing the line I get
22:04 < nox> unable to start strongSwan -- fatal errors in config
22:04 < wedge> yeah, I was testing something real quick
22:05 < wedge> remove the plutodebug=yes line and save it
22:05 < wedge> I was about to do it, but it looks like you got in there
22:05 < nox> I don't see that line
22:05 < nox> Can you do it?
22:05 < wedge> yep, got it, started it
22:05 < wedge> try connecting again
22:06 < nox> Connection still fails
22:06 < nox> (mac)
22:06 < wedge> mmm.... many more interesting things though
22:07 < nox> What are you looking at?
22:07 < wedge> tail -f /var/log/auth.log /var/log/daemon.log
22:07 < wedge> both auth and daemon
22:07 < wedge> there's at least some activity now (I guess you fixed the malformed psk problem?)
22:08 < nox> maybe, what's this: Nov 1 22:07:24 athens01 charon: 07[CFG] line 12: missing ' : ' separator
22:08 < wedge> that's a good one
22:08 < wedge> we'd need to find the charon config
22:08 < wedge> where-ever that is
22:09 < nox> Also no connection has been authorized with policy=PSK
22:09 < wedge> I just glanced at /etc/ipsec.conf and /etc/xl2tpd/xl2tpd.conf ... nothing that appears to be missing a ':' on or around line 12
22:09 < wedge> the no authorized connection is a good sign though
22:09 < wedge> it means it is at least trying things
22:09 < wedge> we'd need to look at figuring out how to authorize something
22:10 < nox> Right now it's authorizing by shared secret and charon config
22:10 < nox> err
22:10 < nox> /etc/xl2tpd/l2tp-secrets:
22:10 < nox> not charon config
22:10 < wedge> all blank?
22:11 < nox> Well that's a problem
22:11 < wedge> indeed
22:11 < nox> I added a user
22:12 < nox> * ** * nsr1 *
22:13 < nox> Maybe I need to restart ipsec
22:13 < wedge> give it a shot
22:13 < nox> More progress!
22:14 < wedge> indeed
22:14 < nox> This looks like good news: Nov 1 22:13:32 athens01 pluto[23823]: "L2TP"[2] 10.81.1.246 #2: IPsec SA established {ESP=>0x085175f8 <0xb4dde234}
22:14 < wedge> aye
22:15 < wedge> however, I must be off for now
22:15 < wedge> at least it is going more, if in fits and starts
22:15 < nox> Nov 1 22:15:21 athens01 pluto[23823]: packet from 10.81.1.246:1: initial Main Mode message received on 10.81.1.233:500 but no connection has been authorized with policy=PSK
22:15 < wedge> try googling some of that
22:15 < wedge> I did earlier and there were results
22:16 < wedge> might have to cherry pick a bit to find something useful
22:16 < nox> but in /etc/ipsec.conf:
22:16 < nox> conn L2TP authby=psk pfs=no
22:16 < nox> key phrase authby=psk
22:16 < wedge> maybe there is another component still missing?
22:17 < wedge> good luck!
22:17 < nox> Thanks, we're closer
22:17 < nox> :)
22:19 < nox> YES!!!
22:19 < nox> I'm conneted
22:19 < nox> with a weird IP
22:19 < nox> but anyway
22:20 < nox> The key was setting no connection has been authorized with policy=PSK
22:20 < nox> I'm connected with both my Mac and my iPhone!
22:20 < nox> haha!
22:21 < nox> I'm not sure if you just headed out but we're in, it's working
22:22 < nox> Phase one - Test OpenSwan: Complete!
22:23 < nox> Probably the nat traversal had to be turned on because I compiled strongswan with that option
22:34 < nox> Phase two: This whole setup needs to move to a dedicated computer with two ethernet ports, right?
22:35 < nox> Then get that working, then to work on LDAP as an authentication scheme
22:35 < nox> Sweet!
22:36 < nox> I'm pleased with the progress we've made tonight, now I'm going to work on my WEP research for a couple of hours
22:36 -!- You're now known as _nox
23:15 < _nox> Work in Progress: http://www.offbyone.lan/user/nsr1/open_swan_vpn
End of Lastlog
Lastlog:
13:00 -!- nox [~user@10.81.1.233] has joined #lair
13:00 -!- Topic for #lair: LAIR chat
13:00 -!- Topic set by -Server- [] [Mon Sep 20 11:59:52 2010]
13:00 [Users #lair]
13:00 [ Ender] [ jzimmer5] [ Riptuer] [ wedge]
13:00 [ Ian ] [ nox ] [ tracer ]
13:00 -!- Irssi: #lair: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal]
13:00 -!- Irssi: Join to #lair was synced in 2 secs
13:01 < wedge> welcome back
13:01 < nox> Good afternoon
13:01 < nox> Thanks
14:00 -!- You're now known as _nox
15:57 -!- You're now known as nox
15:57 < nox> Grrrrrr
15:57 < nox> Openswan has frustrated me for now
15:57 < nox> I'll have to take a break and get back to this guy after dinner
15:58 < nox> I think I understand the theory of what needs to be done
15:59 < nox> I've compiled my own copy of strongswan
15:59 < nox> This version doesn't require kernel modifications
15:59 < nox> sweet
15:59 < nox> and it lets me enable NAT traversal
15:59 < nox> So that all works
16:00 < nox> but somewhere either in the Openswan configs or l2tp config files I missed something
16:00 < nox> The syslog doesn't even show my iPhone trying to connect
16:00 < nox> Grrrr
16:00 < nox> But I feel pretty confident that I will get it
16:01 < nox> Interesting thing- Openswan can route to OpenVPN
16:01 < nox> so we could provide an OpenSwan gateway for iOS devies and keep using OpenVPN
16:01 < nox> I think that could be cool
16:02 < nox> DSLab is joined to LAIR through an OpenVPN tunnel, right?
16:02 < nox> Anyway, just thinking about stuff
16:02 < nox> I'll be back later tonight
16:03 < nox> I think Herb is going to join in on the VPNing fun, maybe we'll get something going
16:03 < nox> Also I'm going to spend some time with the db server tonight
16:03 < nox> I think I might be pretty close with that
16:03 < nox> :)
16:03 -!- You're now known as _nox
18:07 < wedge> yes-- OpenVPN tunnel connects DSLAB and LAIR
18:36 < wedge> regarding logs... where are you trying to run openswan? on juicebar?
19:30 < _nox> I'm sticking clear of making any changes to production machines until I can prove OpenSwan
19:31 < _nox> I'm running it on Athens01
19:31 < wedge> and where is your client coming from?
19:31 < _nox> The client is my iPhone who has joined UFO
19:31 -!- You're now known as nox
19:33 < wedge> I wonder if, the reason you are not seeing any log messages, is because the server is physically not receiving any packets?
19:33 < wedge> firewall on UFO?
19:33 < nox> Yeah, that's what I'm wondering too
19:33 < nox> hmm that's a good point, I can definitely see that apache server from the iPhone
19:34 < wedge> I know if you were going through juicebar, the firewall rules WOULD block it by default
19:34 < wedge> we'd have to add a rule to specifically allow that traffic on a particular interface
19:35 < nox> But UFO is already on the inside, wouldn't that take care of the firewall?
19:35 < wedge> UFO may be running a firewall
19:36 < wedge> it is designed to by default
19:36 < nox> That's a good though, I was wondering if we could run openswan on ufo itself but I hadn't looked into that just yet
19:37 < wedge> for example, there's a setting to allow remote access to the administrative web interface from networks outside the ones it serves
19:37 < wedge> it is typically disabled by default. That is handled by its firewall.
19:38 < wedge> what type of traffic is openswan looking to pass?
19:38 < nox> http://wiki.openswan.org/index.php/Openswan/ConfFirewall
19:38 < wedge> probably something at the IP level? I seem to recall not much going on at transport level
19:38 < nox> It looks like protocol 50, 51 and some UDP
19:39 < wedge> what are we running on UFO... DD-WRT?
19:40 < wedge> ultimately, you won't want to run OpenSWAN on UFO... because all the traffic will be coming from the outside network, and hitting juicebar
19:40 < nox> UFO is running ddwrt, yup
19:41 < nox> ok, so you think the load would be too much (and unnecessary) on UFO
19:42 < wedge> I don't think it would be too much... UFO just doesn't deal with the network traffic you'd be using OpenSWAN for
19:42 < wedge> it is inside, where you want OpenSWAN intercepting outside traffic (ie juicebar's domain)
19:43 < nox> Okay
19:43 < wedge> the current suspicion is that UFO might be unintentionally blocking the traffic, preventing you from testing
19:43 < nox> I have openswan on the inside right now just to test it out
19:43 < wedge> yeah
19:43 < nox> It doesn't actually make much sense to VPN in when you're already on the inside
19:43 < nox> ;)
19:43 < wedge> but you said you weren't getting any log messages
19:43 < wedge> correct :)
19:44 < nox> correct! I'm looking into the firewall now
19:45 < nox> hmm ok so all the firewalls are off and have been off
19:45 < nox> And all VPN passthrough settings are enabled and have been enabled
19:46 < wedge> have you tried doing a tcpdump to see what traffic might be arriving at Athens0?
19:46 < nox> not yet
19:47 < nox> What do you think this means:
19:47 < nox> Athens01 reports an address of 10.81.1.233
19:48 < nox> I can access it via that address on other machines on the network
19:48 < nox> when I ping athens01 while connected to UFO I can an address of 208.68.143.55
19:48 < nox> *I get an
19:48 < nox> But the host isn't accessible via that address
19:49 < nox> and the 10.81 address isn't reachable
19:49 < wedge> DNS settings are causing that to happen
19:49 < wedge> the 208.68....
19:49 < nox> So there's the answer from UFO athens01 isn't accessible
19:50 < wedge> I can't seem to get in to 10.81.1.233, is it using a different password?
19:51 < nox> You should see observium @ http://10.81.1.233/
19:51 < nox> It's a piece of software I was toying with but didn't work out
19:52 < wedge> I was trying to ssh into the machine as root
19:52 < wedge> if it is ubuntu, probably disabled by default
19:52 < nox> It is ubuntu
19:52 < nox> the user is called user
19:52 < nox> password is standard
19:54 < nox> I think the whole problem is that there is no path from ufo -> athens01
19:54 < wedge> hmm indeed
19:55 < wedge> yeah, ufo doesn't seem to be happy with traffic coming to it at all
19:56 < wedge> I can't ping it from juicebar, athens01, or the LAIR end of the VPN
19:56 < nox> But I can connect to it and get out to the internet
19:56 < wedge> are you able to get a console on it (ie via SSH)?
19:56 < nox> It has an IP 10.81.1.5
19:56 < nox> Err 10.81.5.1
19:58 < wedge> if you can, copy and paste: netstat -nr
19:58 < nox> It looks like the physical connection is UFO (internet port) -> dslab1 (port 19(
19:59 < nox> Working on the netstat
19:59 < nox> I'm talking to you from one machine and on UFO on another
20:00 < nox> http://gist.github.com/659081
20:01 < wedge> that's on your Mac, right?
20:01 < nox> Yup
20:01 < wedge> I need to see that for ufo itself
20:01 < nox> So shh into UFO?
20:01 < wedge> yeah
20:01 < wedge> if we have that set up
20:02 < nox> telnet is setup but netstat isn't available
20:03 < wedge> how about: ip route show
20:04 < nox> http://gist.github.com/659084
20:04 < wedge> ah
20:04 < wedge> there's our problem
20:04 < wedge> ufo is on the CSci subnet
20:04 < nox> but it's connected to port 19 on dslab1
20:06 < nox> Should I move it over to the switch where we have our workstations setup?
20:06 < nox> On that switch everyone definitely is getting an internal address
20:06 < wedge> yes
20:07 < wedge> I will admit I am puzzled by why it is getting a 137.238.8.x address
20:07 < wedge> what else is on dslab1 ?
20:07 < wedge> we're talking one of the netgear switches, right?
20:07 < nox> Yeah dslab1 is one of the netgear switches
20:08 < wedge> are other devices on the dslab1 switch getting 10.81.1.x or are they also getting 137.238.8.x addresses?
20:09 < nox> it looks like sparta is on dslab1
20:09 < nox> also sparta04 is making some bad spinny clicky noises
20:09 < nox> sounds like a sick drive
20:10 < wedge> are you sure it isn't an internal fan making contact with wires?
20:10 < wedge> Philip assembled one that did that, and I don't recall if he ever figured out which one it was to fix
20:10 < nox> No, I just heard bad noises and came back to the keyboard
20:11 < wedge> yeah, sparta00 is definitely getting a 10.81.1.x address
20:11 < nox> alright I'll add looking into it to the whiteboard
20:11 < nox> it's not sick in any way on the monitor
20:11 < wedge> I don't see anything immediately awry on sparta04
20:11 < wedge> that's just *weird*... it shouldn't be able to work
20:11 < wedge> has ufo been reset anytime recently?
20:11 < nox> I just reset and moved UFO
20:12 < nox> reset, like the software? nope
20:12 < wedge> reset as in power cycle
20:12 < wedge> ah
20:12 < wedge> there we go
20:12 < wedge> I can ping ufo now
20:14 < nox> But now I don't get the internet through ufo
20:14 < wedge> can you give me another: ip route show
20:14 < wedge> on ufo?
20:14 < nox> Yeah on UFO
20:14 < wedge> yeah, give me another :ip route show
20:14 < wedge> for ufo
20:14 < nox> But UFO definitely sees juicebar in the routing table
20:15 < nox> Well that doesn't matter, I can see 10.81.1.233 from UFO
20:15 < nox> that's what I'm working on :)
20:15 < nox> Ok, let's try openswan
20:16 < wedge> getting internet might be a simple fix of a route addition
20:16 < nox> Oh and no luck on VPN
20:17 < wedge> try accessing the internet from your machine on UFO
20:17 < nox> Nope, the mac on UFO doesn't get to the internet
20:18 < wedge> well, no traffic is hitting juicebar
20:18 < wedge> I suspect a route problem
20:18 < wedge> if you could get me a: ip route show
20:19 < wedge> from ufo's console, we can ascertain it...improper routes could also still be preventing your OpenSWAN experiment from working
20:19 < nox> hmmm I can't post to github
20:20 < nox> What was the route command, again? I just did route but it may not be what you want
20:20 < wedge> ip route show
20:22 < nox> gist.github.com/659108
20:23 < wedge> ok, on your mac on ufo's network, try to access: http://143.66.50.18/
20:23 < wedge> tell me if you get anything
20:23 < nox> Lab46: The Wiki
20:24 < wedge> ok, networking works, DNS is broken
20:24 < wedge> on the UFO side of the network
20:25 < nox> Alright, what am I looking for?
20:25 < wedge> very weird I'm not picking up any traffic
20:26 < wedge> do me a favor, try refreshing that page
20:26 < wedge> on your mac
20:26 < wedge> just trying to pick up traffic in a tcpdump
20:26 < nox> You're still alive
20:26 < wedge> yeah... I'd check DNS Settings on UFO
20:26 < wedge> make sure the DNS Server is: 10.81.1.1
20:26 < wedge> searching dslab.lan
20:26 < wedge> domain dslab.lan
20:27 < wedge> whatever the options are called
20:27 < wedge> if you want additional DNS:
20:27 < wedge> 10.80.2.1
20:27 < wedge> 10.80.1.1
20:27 < nox> Local DNS is set to 10.81.1.1
20:28 < nox> Static DNS 1 is set to 10.81.1.1
20:28 < nox> ditto for DNS 2
20:28 < nox> DNS 3 is 10.81.2.1
20:28 < wedge> well, that doesn't exist..
20:28 < wedge> shouldn't be throwing things off though
20:28 < nox> DNS 3?
20:28 < wedge> yeah
20:28 < wedge> 10.80.2.1
20:29 < nox> Is there a 10.80.1.1?
20:29 < nox> Just curious
20:29 < wedge> yes
20:29 < wedge> 10.80.1.1
20:29 < wedge> and 10.80.2.1
20:29 < wedge> you had written 10.81.2.1
20:29 < wedge> note the 81 instead of the 80
20:29 < nox> so all DNS is in the 10.80 range
20:30 < nox> There is no 10.81.1.1?
20:30 < wedge> there is
20:30 < wedge> that's the only one in 10.81
20:30 < wedge> 10.81.1.1
20:30 < wedge> 10.80.1.1
20:30 < wedge> 10.80.2.1
20:31 < nox> Hark!
20:31 < nox> The internet
20:31 < wedge> :)
20:31 < wedge> at least one problem solved!
20:31 < nox> I changed 10.81.1.1 to 10.80.1.1 and rebooted
20:31 < nox> and then the internet worked
20:31 < nox> Why would that do it?
20:31 < wedge> why no OpenSWAN... as far as I can tell... it shouldn't be prevented from working
20:31 < wedge> might have been a stale value
20:32 < wedge> it *should* work with 10.81.1.1, that's what the rest of the DSLAB is using for DNS
20:32 < nox> Hmmm weird
20:32 < nox> but that's one problem gone
20:32 < nox> Er
20:32 < nox> maybe
20:33 < nox> Now I can't get to 10.81.1.233
20:33 < nox> through ufo
20:33 < wedge> can you ping 10.81.1.1
20:34 < wedge> on your mac
20:34 < nox> Nope
20:34 < wedge> hook me up with another: ip route show
20:34 < wedge> on ufo's console
20:34 < wedge> heh, I can't ping ufo anymore either
20:35 < nox> I can still get to the IP for the wiki
20:36 < wedge> something's not right... check and see if it is back on the CSci subnet
20:36 < nox> UFO is on the CS domain
20:36 < wedge> why, I have no idea (or how)
20:36 < nox> http://gist.github.com/659123
20:36 < wedge> big ol' W-T-F
20:36 < nox> :D
20:37 < nox> Amen to that
20:37 < wedge> I am honestly at a loss, based on what I know, this is defying the impossible
20:37 < wedge> let's try some basic debugging
20:37 < nox> okay
20:37 < wedge> on the WAN port on UFO, where is that plugged into?
20:37 < wedge> should be the DSLAB1 switch
20:37 < wedge> (or DSLAB2 switch-- some netgear internal DSLAB switch)
20:37 < nox> the WAN port is plugged into port 19 of the same switch that services all of the athens workstations
20:37 < wedge> ok
20:37 < nox> it's an unnamed DELL powerconnect
20:38 < wedge> how about the LAN ports?
20:38 < nox> Nothing going into any of them
20:38 < wedge> woah... what is an unnamed DELL powerconnect?
20:38 < wedge> the switch that services the athens workstations?
20:38 < wedge> the Dell powerconnect is OUTSIDE
20:38 < nox> It's the switch that services the athens workstations, I don't think we can connect to the switch
20:38 < nox> The switch is on the inside
20:38 < nox> the machine I'm typing on is on this switch
20:38 < wedge> did you move it to the inside?
20:39 < wedge> that switch used to be where juicebar (and bob) got their external connections
20:39 < wedge> it was configured for 137.238.7.x, and had no configuration for inside
20:39 < nox> Are you sure? There's another Dell switch in the back
20:39 < nox> I'm on the dell switch on this athens and I have an IP of 10.81.1.233
20:39 < wedge> is it a 16-port Dell switch?
20:40 < wedge> the dumb, 16-port switch by the G5?
20:40 < nox> yes
20:40 < wedge> ok... so different Dell switch
20:40 < wedge> I thought you said it was plugged into the big 24-port Dell switch behind the video wall
20:41 < nox> It was, when we started the night
20:41 < nox> then a ways back I moved it closer to me physically
20:41 < nox> we had the same problems
20:41 < wedge> :)
20:41 < nox> :)
20:41 < wedge> ok... so that Dell 16-port switch.. does it plug into (ultimately) one of the two netgear switches?
20:42 < nox> port 17 on dslab 1
20:42 < nox> so yes
20:42 < wedge> ok
20:43 < wedge> something is hooked into the CS subnet
20:43 < nox> Didn't we have a sparta get a 137 address recently too?
20:44 < nox> Ok
20:44 < wedge> you might want to trace all the connections into that 16-port dumb Dell switch, make sure there aren't any accidental connections to the wall
20:44 < wedge> it doesn't make sense, but if there's a connection, rogue DHCP could be getting through
20:44 < wedge> and some devices getting caught up in that
20:45 < wedge> I'd expect there to be more problems if that were the case, but it is something to look for at any rate
20:45 < nox> I only see one connection to the wall in the corner by the video wall
20:45 < nox> although it's a bit of a mess
20:45 < nox> let me go look some more
20:46 < wedge> the way it should be: the ONLY connection from the wall should go to the 24-port Dell switch
20:49 < nox> Still alive?
20:49 < nox> Am I still here?
20:50 < wedge> as far as I can tell
20:50 < nox> Weird
20:50 < nox> I shouldn't be
20:50 < nox> I lost power on the switch
20:50 < nox> that this is connected to
20:50 < wedge> not necessarily the end of the world
20:50 < wedge> networking can be resilient like that
20:50 < nox> I guess, or this is heaven
20:50 < nox> but anyway
20:51 < nox> to the DELL powerconnect there was another outside connection
20:51 < nox> So there were 2!
20:51 < wedge> and you disconnected one of them, or are they both still plugged in?
20:52 < wedge> I seem to remember a white cable (once upon a time) being the one for the outside connection
20:52 < wedge> but that could easily have been changed over time
20:52 < nox> I pulled the connection from the DELL powerconnect port 3 to the wall
20:52 < wedge> ok... and we're still operational
20:52 < nox> There is still a white cable going into a mess of cables over behind the VWall
20:52 < nox> Rebooted UFO
20:52 < wedge> I'm pinging again
20:53 < nox> I get internet and I can ping node132
20:53 < wedge> so it is back
20:53 < nox> It's back
20:53 < nox> When we were cleaning the lab and setting up workstations there were a lot of people moving computer and plugging and unplugging
20:53 < nox> I'm sure this cable ended up plugged in by someone because it seemed like the right thing
20:53 < nox> heck it could have been me
20:54 < wedge> what's important is that the mystery (hopefully) has been solved
20:54 < nox> indeed!
20:55 < nox> There is now a route from the iPhone to 10.81.1.233 for http
20:55 < nox> But VPN fails :(
20:58 < nox> It's hard to know what's going on because there's so much noise on a tcpdump
20:58 < wedge> ufo stopped pinging
20:59 < nox> entirely my fault, I kicked the power cord out
20:59 < nox> It'll be back in just a second
20:59 < wedge> ok, just paranoid thinking the problem had returned
20:59 < wedge> yep, it is back
20:59 < nox> If you're working with VPN, the shared secret is cookie
21:00 < nox> the username is nsr1 and will accept any password
21:00 < wedge> ok
21:01 < wedge> where are you tcpdumping, on athens01?
21:01 < nox> Even if I'm tailing /var/log/messages I'm not seeing anything VPNish
21:01 < nox> yeah, tcpdump is on athens01
21:01 < nox> To setup the VPN I followed this guide: http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
21:01 < wedge> what is the IP of your client device?
21:01 < nox> 10.81.1.101
21:02 < nox> (iPhone)
21:02 < wedge> 1.101, or 5.101?
21:02 < nox> good catch
21:02 < nox> 10.81.5.101
21:02 < wedge> try connecting to the VPN with the iPhone
21:02 < wedge> I'm doing a tcpdump
21:03 < nox> Alright here we are
21:03 < nox> fail
21:03 < nox> Again
21:03 < wedge> yeah, seeing nothing
21:03 < nox> fail
21:04 < nox> ipsec is definitely running
21:05 < nox> As is xl2tpd
21:07 < nox> brb
21:09 < nox> back
21:12 < wedge> your iPhone is on ufo's network?
21:12 < nox> Yeah
21:12 < wedge> for server, you put in 10.81.1.233
21:13 < nox> Yup: http://picasaweb.google.com/nixterrimus/Lab#5534754249785342002
21:15 < nox> I see that ubuntu's built in firewall is deactivated
21:15 < nox> that's good
21:16 < wedge> shouldn't be preventing traffic (but you never know)--- you have nat_traversal enabld in /etc/ipsec.conf
21:16 < wedge> might want to flip that to a no and restart it
21:16 < wedge> at the moment, you're not nat traversing
21:16 < wedge> everyone has a "real" IP
21:17 < nox> I think nat_traversal is supposed to be enabled in ipsec.conf and it looks like it is
21:17 < nox> I built strongswan with the nat_traversal enabled
21:18 < nox> I think it needs to be enabled for the VPN to work, should I try it with nat_traversal off?
21:21 < wedge> yeah, nat_traversal is an option to enable openswan to work with a connection through a NAT
21:21 < nox> Alright, let's try flipping it to off and restarting strongswan
21:21 < wedge> like a roadrunner connection with only 1 IP serving a network of machines behind it
21:21 < wedge> like I said, I don't see how it could be preventing operation, but it is something out of place, so worth trying
21:22 < nox> Gotcha, won't that eventually be us when we have 1 137.238 address as an entry?
21:22 < nox> Alright, I
21:22 < nox> Alright, I've turned it off and rebooted
21:22 < nox> and still no luck with the iPhone
21:22 < wedge> yeah, we will then
21:23 < nox> but right now, not a big deal
21:30 < nox> Ok
21:30 < nox> There is something happening
21:30 < nox> Listening on port 500 or 4500
21:30 < nox> sudo tcpdump -i eth0 -n -p udp port 500 or udp port 4500
21:30 < nox> I'll br back right back
21:42 < wedge> I'm going to head out shortly
21:42 < wedge> if you are back soonish... I'm tcpdumping with those parameters... give it a shot, I'd like to see what's happening
21:43 < nox> Alright I'm going trying to connect
21:43 < nox> and making noise
21:43 < wedge> indeed
21:44 < wedge> so traffic is being received
21:44 < wedge> and sent
21:44 < nox> yes
21:44 < wedge> did this happen before the nat_traversal?
21:44 < nox> I don't know I didn't learn about this command until just before I sent it to you
21:45 < nox> should I change the nat_traversal parameter?
21:45 < wedge> interestingly, it would appear some NAT'ing may be happening on the UFO side
21:45 < wedge> as the traffic is coming from 10.81.1.246
21:45 < wedge> which is UFO's presence on the dslab.lan 10.81.1.x network
21:46 < nox> But since ipsec is good with anyone connecting that shouldn't matter should it?
21:46 < wedge> correct
21:46 < wedge> I do wonder if traffic is being passed back to the iPhone as it should be
21:47 < wedge> are you getting any indication on the iPhone as to any level of communication?
21:47 < nox> No, it's pretty useless as an indicator
21:47 < wedge> might be worth setting up your Mac to do it
21:47 < wedge> see if it can generate you some client side log messages
21:47 < nox> it just says Connecting... and then The l2TP-VPN Server did not respond. Try reconnecting or contact your admin, etc
21:48 < wedge> yeah, IF ufo isn't properly routing the return packets back, I could see that being an issue (needing some "firewall" rules, if only for NAT)
21:48 < wedge> but, we don't have enough information to make that determination
21:49 < wedge> trying it with your Mac, if it can produce logs, might be more telling
21:49 < wedge> hmmm
21:49 < wedge> something different
21:49 < wedge> port 1?
21:49 < nox> The mac is talking
21:49 < wedge> purely 1 way
21:50 < wedge> at least, not talking back on 500 or 4500
21:50 < wedge> two-way.... same as before... any logs on the Mac to speak of?
21:51 < nox> http://gist.github.com/659161
21:51 < nox> nothing really interesting
21:51 < nox> basically "connection failed"
21:51 < wedge> hmmm
21:53 < nox> I is in and R is return?
21:54 < wedge> could be
21:55 < wedge> how are you restarting/starting openswan?
21:55 < wedge> some /etc/init.d script?
21:55 < wedge> or something more manual?
21:55 < nox> init.d
21:55 < wedge> just xl2tpd ?
21:56 < wedge> does that handle everything?
21:56 < nox> ipsec and then xl2tpd
21:57 < wedge> try connecting again
21:58 < nox> Just tried the mac
21:58 < nox> same error messages in the log
21:58 < wedge> hmmm
21:59 < nox> the ipsec command looks interesting
21:59 -!- Irssi: Pasting 7 lines to #lair. Press Ctrl-K if you wish to do this or Ctrl-C to cancel.
21:59 < nox> sudo ipsec status
21:59 < nox> [sudo] password for user:
21:59 < nox> 000 "L2TP": 10.81.1.233:17/1701---10.81.1.1...%any:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
21:59 < nox> 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
21:59 < nox> 000
21:59 < nox> Security Associations: none
21:59 < nox> Not entirely sure what the output means but it looks like there's an ipsec tunnel available
21:59 < wedge> where you seeing that?
22:00 < wedge> on the mac?
22:00 < nox> on athens01
22:00 < wedge> hey... did you look in /var/log/auth.log ?
22:00 < wedge> there's some interesting things in there about no preshared key found
22:00 < nox> Where do you see that?
22:01 < wedge> tail -f /var/log/auth.log
22:01 < wedge> and try connecting
22:01 -!- Irssi: Pasting 8 lines to #lair. Press Ctrl-K if you wish to do this or Ctrl-C to cancel.
22:01 < nox> sudo ipsec secrets
22:01 < nox> 002 forgetting secrets
22:01 < nox> 002 loading secrets from "/etc/ipsec.secrets"
22:01 < nox> 002 loading secrets from "/var/lib/strongswan/ipsec.secrets.inc"
22:01 < nox> 002 loaded private key file '/etc/ipsec.d/private/athens01Key.pem' (1675 bytes)
22:01 < nox> 002 loaded shared key for 0.0.0.0 10.81.1.223
22:01 < nox> 002 loaded shared key for 0.0.0.0 10.81.1.233
22:01 < nox> 003 "/etc/ipsec.secrets" line 12: PSK data malformed (input does not begin with format prefix): \342\200\234cookie"
22:01 < nox> Line 12
22:01 < nox> :)
22:01 < wedge> it's something
22:02 < nox> 10.81.1.233 %any: PSK “cookie"
22:04 < nox> after redoing the line I get
22:04 < nox> unable to start strongSwan -- fatal errors in config
22:04 < wedge> yeah, I was testing something real quick
22:05 < wedge> remove the plutodebug=yes line and save it
22:05 < wedge> I was about to do it, but it looks like you got in there
22:05 < nox> I don't see that line
22:05 < nox> Can you do it?
22:05 < wedge> yep, got it, started it
22:05 < wedge> try connecting again
22:06 < nox> Connection still fails
22:06 < nox> (mac)
22:06 < wedge> mmm.... many more interesting things though
22:07 < nox> What are you looking at?
22:07 < wedge> tail -f /var/log/auth.log /var/log/daemon.log
22:07 < wedge> both auth and daemon
22:07 < wedge> there's at least some activity now (I guess you fixed the malformed psk problem?)
22:08 < nox> maybe, what's this: Nov 1 22:07:24 athens01 charon: 07[CFG] line 12: missing ' : ' separator
22:08 < wedge> that's a good one
22:08 < wedge> we'd need to find the charon config
22:08 < wedge> where-ever that is
22:09 < nox> Also no connection has been authorized with policy=PSK
22:09 < wedge> I just glanced at /etc/ipsec.conf and /etc/xl2tpd/xl2tpd.conf ... nothing that appears to be missing a ':' on or around line 12
22:09 < wedge> the no authorized connection is a good sign though
22:09 < wedge> it means it is at least trying things
22:09 < wedge> we'd need to look at figuring out how to authorize something
22:10 < nox> Right now it's authorizing by shared secret and charon config
22:10 < nox> err
22:10 < nox> /etc/xl2tpd/l2tp-secrets:
22:10 < nox> not charon config
22:10 < wedge> all blank?
22:11 < nox> Well that's a problem
22:11 < wedge> indeed
22:11 < nox> I added a user
22:12 < nox> * ** * nsr1 *
22:13 < nox> Maybe I need to restart ipsec
22:13 < wedge> give it a shot
22:13 < nox> More progress!
22:14 < wedge> indeed
22:14 < nox> This looks like good news: Nov 1 22:13:32 athens01 pluto[23823]: "L2TP"[2] 10.81.1.246 #2: IPsec SA established {ESP=>0x085175f8 <0xb4dde234}
22:14 < wedge> aye
22:15 < wedge> however, I must be off for now
22:15 < wedge> at least it is going more, if in fits and starts
22:15 < nox> Nov 1 22:15:21 athens01 pluto[23823]: packet from 10.81.1.246:1: initial Main Mode message received on 10.81.1.233:500 but no connection has been authorized with policy=PSK
22:15 < wedge> try googling some of that
22:15 < wedge> I did earlier and there were results
22:16 < wedge> might have to cherry pick a bit to find something useful
22:16 < nox> but in /etc/ipsec.conf:
22:16 < nox> conn L2TP authby=psk pfs=no
22:16 < nox> key phrase authby=psk
22:16 < wedge> maybe there is another component still missing?
22:17 < wedge> good luck!
22:17 < nox> Thanks, we're closer
22:17 < nox> :)
22:19 < nox> YES!!!
22:19 < nox> I'm conneted
22:19 < nox> with a weird IP
22:19 < nox> but anyway
22:20 < nox> The key was setting no connection has been authorized with policy=PSK
22:20 < nox> I'm connected with both my Mac and my iPhone!
22:20 < nox> haha!
22:21 < nox> I'm not sure if you just headed out but we're in, it's working
22:22 < nox> Phase one - Test OpenSwan: Complete!
22:23 < nox> Probably the nat traversal had to be turned on because I compiled strongswan with that option
22:34 < nox> Phase two: This whole setup needs to move to a dedicated computer with two ethernet ports, right?
22:35 < nox> Then get that working, then to work on LDAP as an authentication scheme
22:35 < nox> Sweet!
22:36 < nox> I'm pleased with the progress we've made tonight, now I'm going to work on my WEP research for a couple of hours
22:36 -!- You're now known as _nox
23:15 < _nox> Work in Progress: http://www.offbyone.lan/user/nsr1/open_swan_vpn
End of Lastlog
user/nsr1/open_swan_vpn/discussion.txt · Last modified: 2010/11/01 23:20 by nsr1