Wed, 18 Oct 2006 6:26 PM
Akismet Under Load?
Michael Dale
I've been getting a few akismet time outs lately which may be one of the reasons why some spam is making it on to this site. I should do a check against that.
Mon, 09 Oct 2006 11:57 PM
Far too much spam on this site, I'm getting about 100 a day blocked by akismet, although a few are still getting through.Spam
Michael Dale
Anyway I've upped the spam level to maximum, meaning that anything detected as spam is not accepted (no comment moderation).
I do need to improve this still.
Wed, 27 Sep 2006 7:07 PM
This howto shows you how to create a site to site VPN with a Netscreen and Racoon. If you're interested in setting up a dial-up vpn, see hereRacoon to Netscreen VPN (site to site)
Michael Dale
Background
My Place
- Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
- Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
- External Address of 59.167.253.89
- Gentoo running Racoon (I think it was installed through the command emerge ipsec)
- Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
- Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)
Site to Site VPN (Josh's network to my network)
Step 1)
Setup a dyndns address for the linux end (as this is using a dynamic ip address), use this address in the hostname option when setting up the netscreen (see next step).
Step 2)
The next step is to setup a site to site vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen, Note that example uses 10.0.4.0 as the remote network not 10.0.11.0).
Step 3)
Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).
Step 4)
Setup racoon.conf. Now for this process we used a combination of:
- The details from this site: http://www.prolixium.com/netscreenlinux
- The config generated by IPSecuritas on my Mac
path certificate "/etc/ipsec.conf";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}
remote 59.167.253.89 {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.11.0/24 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
#listen {
# isakmp 10.0.11.15;
#}
log debug2;
Things to note:
- remote 59.167.253.89 (The ip address of the external interface on my netscreen)
- exchange_mode main (Remember we set the Netscreen Phase 1 to main mode)
- my_identifier address; (The external IP address of the linux box is used as the identifier)
- lifetime time 28800 seconds (Phase 1 lifetime)
- encryption_algorithm des (Phase 1 DES encryption)
- hash_algorithm md5 (Phase 1 MD5)
- authentication_method pre_shared_key (We're using a preshared key)
- dh_group modp1024 (On the netscreen DH Group 2)
- sainfo address 10.0.11.0/24 any address 10.0.0.0/22 (From Josh's network to my network)
- pfs_group modp1024 (Again DH Group 2)
- lifetime time 3600 seconds (Phase 2 lifetime)
- encryption_algorithm des (Phase 2 encryption)
- authentication_algorithm hmac_md5 (Phase 2 MD5)
Setup ipsec.conf
So our config looks like:
spdflush;
spdadd 10.0.0.0/22 10.0.11.0/24 any -P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;
spdadd 10.0.11.0/24 10.0.0.0/22 any -P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;
You'll just need to change the IP addresses to suit your setup.
Step 6)
Setup psk.txt.
So our config looks like:
So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen
Step 7)
Test. Use both ends to debug and test.
Wed, 27 Sep 2006 6:45 PM
So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.Racoon to Netscreen VPN (dialup)
Michael Dale
Background
My Place
- Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
- Local Network of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
- External Address of 59.167.253.89
- Gentoo running Racoon (I think it was installed through the command emerge ipsec)
- Local Network of 10.0.11.0/24 (10.0.11.0 - 10.0.11.255)
- Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)
Dial-up VPN (Single PC at Josh's Place accessing my network)
Step 1)
The first step is to setup a dial-up vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen).
Step 2)
Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).
Step 3)
Setup racoon.conf. Now for this process we used a combination of:
- The details from this site: http://www.prolixium.com/netscreenlinux
- The config generated by IPSecuritas on my Mac
path certificate "/etc/ipsec.conf";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;
}
remote 59.167.253.89 {
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier fqdn "Test.User";
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address 10.0.11.15/32 any address 10.0.0.0/22 any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
listen {
isakmp 10.0.11.15;
}
log debug2;
Things to note:
- remote 59.167.253.89 (The ip address of the external interface on my netscreen)
- exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)
- my_identifier fqdn "Test.User" (The IKE Identity)
- lifetime time 28800 seconds (Phase 1 lifetime)
- encryption_algorithm des (Phase 1 DES encryption)
- hash_algorithm md5 (Phase 1 MD5)
- authentication_method pre_shared_key (We're using a preshared key)
- dh_group modp1024 (On the netscreen DH Group 2)
- sainfo address 10.0.11.15/32 any address 10.0.0.0/22 (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)
- pfs_group modp1024 (Again DH Group 2)
- lifetime time 3600 seconds (Phase 2 lifetime)
- encryption_algorithm des (Phase 2 encryption)
- authentication_algorithm hmac_md5 (Phase 2 MD5)
Setup ipsec.conf
So our config looks like:
#nat_traversal=yes
flush;
spdflush;
#out
spdadd 10.0.11.15/32 10.0.0.0/22 any
-P out ipsec esp/tunnel/10.0.11.15-59.167.253.89/require;
#in
spdadd 10.0.0.0/22 10.0.11.15/32 any
-P in ipsec esp/tunnel/59.167.253.89-10.0.11.15/require;
You'll just need to change the IP addresses to suit your setup.
Step 5)
Setup psk.txt.
So our config looks like:
So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen
Step 6)
Test. Use both ends to debug and test.
Sat, 23 Sep 2006 2:39 PM
Internet Upgrade
Michael Dale
We're finally making use of Annex-M with a modem that correctly supports it. So we now have about 2mbit/sec of upload bandwidth (with 18mbit down).
The bandwidth usage can be seen here
Sat, 09 Sep 2006 12:59 PM
DNS Report update
Michael Dale
Too many times have I seen websites that have DNS hosted on one box. Cpanel has been one of the main culprits with its highly dodgy way of mapping two ip addresses to one box and then having NS1.example.com and NS2.example.com.
The main problem with doing this is email. Just say your server goes offline, any email going to your server will be automatically dropped (and not stored in a mail queue) as the address cannot be found through DNS.
DNS Report a great site for checking all dns issues has recently been upgraded to detect this fault. Very useful.
Thu, 07 Sep 2006 10:52 AM
New Server
Michael Dale
We've finally got all the hardware ready and setup for the new server:
- Dual Althon MP 1800+
- 2gb ECC DDR Ram
- 3x80gb SATA in Raid 5 for boot, off a HighPoint 1640
- 3x300gb SATA in Raid 5 for data, off a RaidCore 4852
So yeah. Our new file/mail/sharepoint server!
Fri, 01 Sep 2006 7:25 PM
The IPsecuritas website is back online with two new versions (A Universal Version of 2 and a new Beta 3 version).IPsecuritas VPN Client
Michael Dale
IPsecuritas is a great free VPN Client for the Mac and is what we use to connect them to our Netscreen VPN.
Unfortunately their website not longer works (is gone?) and it has become hard to get the the software.
I've decided to mirror Version 3b6. This version seems to the latest out. It is a Universal Binary and although in beta, is very stable on my macbook.
Click here to download
Fri, 01 Sep 2006 6:59 PM
Setting up a dial-up VPN to connect to a Netscreen
Michael Dale
I've been getting lots of hits to the post about a site to site VPN setup with a netscreen. So I've decided to do one for a dial-up VPN user connecting to a netscreen.
A dial-up user is anyone who needs access into the network and has a dynamic ip address. We don't wish to be able to access them (the dial-up user) from within the network. This is how we setup most connections at work. This allows people to access file shares and outlook (without the need to setup RPC over HTTP).
Background
- Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
- Netscreen Remote 8.7 (The Windows VPN client)
- Local Network (the one in which the vpn users want to access) of 10.0.0.0/22 (10.0.0.0 - 10.0.3.255)
- External Address of 59.167.253.89
Setting up the Netscreen
1) First we need to create a user. This can be found in Objects -> Users -> Local (Note: Follow the screen shot below, you don't need a password here, you do need the IKE User info though)
So we have our user, Test.User
2) Create Phase 1 of the VPN tunnel. This can be found in VPNs -> AutoKey Advanced -> Gateway (Note: Security level is set to custom, password for VPN is entered here, Outgoing interface is your untrust interface).
3) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Mode is set to Aggressive)
Now click return and okay to save your settings.
4) Now we'll create the Phase 2 information. This can be found in VPNs -> AutoKey IKE (Note: Security level is set to custom, Remote Gateway is set to "Test.UserP1")
5) Now we'll modify the advanced settings. Click Advanced (Note: We're using DES and MD5 here. Replay Protection is on)
Now click return and okay to save your settings.
6) Now we'll need to create a policy. This will go from untrust to trust. This can be found in Policies.
Click new (Note: Source Address is Any-IPv4 or just Any if IPv6 is disabled, Destination Address is your local subnet, tunnel the connection though the VPN user "Test.UserP2")
Now the Netscreen has been setup.
Setting up Netscreen Remote
1) Open the policy editor in Netscreen Remote
2) Create a new connection (Note: Type in the remote subnet details and set the secure gateway to your netscreens external address)
3) Now we'll setup the login details (Note: The Certificate is None, The ID Type is Domain Name and the value is "Test.User")
4) Now click Pre-Shared Key (Note: Type in the password you used when setting up the connection in the netscreen)
5) Now we'll set the connection to aggressive (Note: Enable PFS, DH is Group 2 and Enable Replay Dection)
6) Now we'll setup the Phase 1 details (Note: We're using DES and MD5 here. SA Life is 28800 seconds)
7) Now we'll setup the Phase 2 details (Note: The SA Life here is 3600 Seconds)
8) Save the settings and Test!
That should be all you need to do.
Notes
- The VPN may not work behind some NAT routers. You can try turning on NAT-T within the netscreen, although I find it doesn't normally work (newer versions such as 5.4 and 6.x seem to work just fine).
- Make sure the details in the Netscreen and Netscreen Remote Match (i.e Phase 1 policies etc)
- You can check the logs from both Netscreen and Netscreen Remote
- You cannot connect to the VPN while within the local subnet
- Netscreen Remote should be disabled when you're directly connected to the network
- Only traffic for the subnet is passed over the VPN.