April 23, 2003

Here I go again on my own (VPN)

So I’m trying to do a road warrior configuration again. Choices are basically SSH Sentinel ($120/license, IIRC) or L2TP-over-IPSec. I’m trying the latter right now since it’s free and what most clients would prefer.

Here’s some rebuttals for other things you might be considering. No CIPE, as it supposedly doesn’t support XP yet. Win2K (and I think XP) built-in IPSec isn’t happening easily, since a tunnel requires you to enter the — dynamic! — IP of the Windows box as the tunnel endpoint for one of the two tunnel rules you need. Cisco IPSec client appears to fuck up with trying to do its own Cisco (or maybe IETF draft) authentication that FreeS/WAN isn’t having. PGPNet client is, like, gone. Last I tried the SafeNet client it was slower than balls — and they don’t have a trial for download on their web site. PPTP is out because, as near as I can tell, it still has the same flaws that it always has.

(FYI, I found some information on people basically scripting the tunnel endpoint part. The Windows 2000 VPN Tool could be used to do it; just run it once at every start-up — maybe. I don’t know if it supports filling in the Win2K box’s IP automatically or not. Kaspar Brand has a script for modifying the IPSec policy with the Win2K box’s IP. Adam Lambert has another script for filling in the Win2K box’s dynamic IP to the IPSec policy.)

So now that we’ve got that out of the way. I’ve got the IPSec part of L2TP-over-IPSec working (I think). The L2TP part is perhaps being a pain right now, though. rp-l2tp is getting EAGAIN from recvfrom when it tries to read the packets that are coming in on the L2TP port on ipsec0. It’s not just rp-l2tp’s l2tpd though, it’s netcat as well. netcat actually sits in a blocking recvfrom whereas l2tpd does a select that gets woken up and then calls recvfrom; both get EAGAIN, though, and I can’t immediately tell why. tcpdump was able to capture the entire packet body, as near as I can tell. I suppose iptables could be a problem; may need to check it out. May also try l2tpd.

I’m a bit concerned about getting addresses out to the clients still. l2tpd might actually be better at giving out addresses than rp-l2tp, since I think rp-l2tp requires you to have a DHCP server and use the mysterious DHCP plug-in for pppd.

Remind me to buy a Cisco VPN concentrator.

Been playing with LISP some more. defmethod is way cool. Things in LISP seem to “just work.” Also, it feels like LISP has been doing things for years the ways that other languages have only recently begun doing things. Naturally the other languages try to convince you that it’s some sort of revelation, I think. Using stuff like :before and :around in defmethod feels much like AOP for whatever reason.

I’m talking out of my ass. THPPT THPPT FAAART. Time for bed.

April 17, 2003

NFS/LTSP, L2TP-over-IPSec, RH9 so far

ardent was nice enough to remind me that I hadn’t made an entry in a while. Indeed, I think Movable Type moved all entries off my front page, which actually made my front page unusable and nasty. I had to search Google for some stuff I was trying to find in my own web log; how embarrassing. Thanks ardent.

Want some tips? How’s this: when using NFS, at least NFS booting from an LTSP client, put the client’s IP in /etc/hosts. Symptom of the client’s IP (which might be obtained from DHCP, so put an entry for every IP in the range in /etc/hosts) not being in /etc/hosts is the client sending a storm (flood, spam, search engines pick up these words please!) of NFS mount requests to your server, and probably some lines about “authenticated mount request” in /var/log/messages. My LTSP clients were just sitting there at “mounting root filesystem” or something like that. The server would get massively slow because it was being flooded with packets so quickly. Network traffic over those ports? Forget about it while the NFS mount request flood is happening. This one took me a while to figure out; thanks to dh.

More tips. I’m trying the VPN thing once again. Someone wants your typical “road warrior” VPN configuration. Now I’m trying L2TP-over-IPSec, which is apparently supported by Windows 2000 and Windows XP out of the box. Additionally, MS distributes a client for Win95/98/ME to do it. L2TP-over-IPSec seems kind of silly to me – and to others — primarily because it’s like we’re encapsulating PPP in L2TP in IPSec, or something like that. It’s just a bunch of shit that doesn’t need to be in the way. Win2k generates this “automatic” IPSec policy when it goes to set up an L2TP connection. (You can disable this automatic policy by creating the registry key My ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManParametersProhibitIpSec as a REG_DWORD value and setting it to 1. I did this when I was playing with creating my own IPSec policies.) When FreeS/WAN gets a connection from an L2TP/IPSec client that’s being NATed, it says it’s getting a rightsubnet (assuming the server is left and the road warrior is right) parameter of <private ip>/32 where <private ip> is the client’s internal address. I am told by the nice people on #freeswan (FreeNode) that this is a result of IPSec “passthru” [sic]. The way to get around this is to use the X.509 patch — which you supposedly have to use with Win2k L2TP anyway because it doesn’t support PSK — and add a parameter like rightsubnetwithin=0/0 to your /etc/ipsec.conf. This tells FreeS/WAN that a rightsubnet matching 0/0 (a.k.a. anything) is just fine. The connection gets matched, your IPSec session sets up, and now you can worry about how the fuck you’re going to get l2tpd or rp-lt2p up and running.

I haven’t even gotten to the point of the L2TP server software setup yet. It’s going to require me dicking with pppd, it looks like. I never liked pppd much; we confused each other a lot. IP allocation, if you’re in to that sort of thing, looks like a pain with L2TP as well. None of the Linux solutions seem to support anything spiffy, if anything at all, directly from the daemon. Apparently pppd doesn’t even help you much here. It sounds like your options are using RADIUS and the pppd RADIUS plug-in, or maybe DHCP and the newer DHCP pppd plug-in. I’m quite tempted to just hack around in l2tpd myself. I’ll tell you this much: I’m not running dhcpd in an instance of UML. That is just silly.

I’ve been using RH9 as my main desktop now for a week or two. Or something like that. I haven’t touched my old RH box in that time, really, so I think that means it’s probably safe to format. I like RH9. The fonts seem to get kind of blurry to you sometimes, and you feel like maybe you’ve had too much nice looking fonts or something. Like maybe they’re too nice looking. I hooked up with the freshrpms.net APT repository yesterday, and it updated my shit nicely. (I notice that the new glibc updates for both RH 8.0 and 9.0 do a restart of the sshd service.) The fact that Mozilla seems to have two clipboard (one with middle mouse button, one with shift-insert) is bugging me; not a RH9 issue, but just something I thought of. I think I’m having some issues with gnome-terminal and selections; it seems like it’s too greedy, especially with double clicking to select entire words and such. I also had to turn off the blinking cursor, since sometimes a window’s cursor would get “stuck blinking” and keep blinking even when it had lost focus, which was distracting. Other than that, I can’t think of anything major to report.

I’m up doing remote support for an all night install at four car dealerships in Gastonia tonight. I forgot to do the /etc/hosts trick on one of their LTSP servers, which is what made me think of that. I’m also trying dhcrelay for the first time. I’ll note that Reynolds and Reynolds seems to be using Linux (RH 7.1 on the box I found) for some of their products.

Maybe I’ll try and get some sleep at some point.

April 4, 2003

Random bits

Keeping up with a web log is hard. Therefore today you get random bits.

I’ve installed RH9. I had some problems that I initially blamed on RH9, but I think in the end I’ve decided it was some bad/incompatible memory. RH9 is nice enough.

To get Gnome usable, go back to Sawfish! It’s included, just not installed by default; you need Sawfish and rep-gtk from disc 3, then librep from disc 2 IIRC. Once you’ve installed Sawfish, run gnome-session-properties. Remove Metacity from your current session and hit apply. Now rejoice because you have no window manager. Now go to the session startup tab (or something like that; the last tab) and tell it to start Sawfish, order 30 (I think; maybe it was 20?). Save or apply if there are buttons to do so. Close gnome-session-properties. Log out, log back in. Sawfish is now your window manager. Now run gnome-session-properties again and… remove Sawfish from startup programs. If you don’t do this it seems Gnome tries to start Sawfish twice? Close session properties. Log out and make sure to save your session. Now when you log back in you should still have Sawfish. Rejoice again, then run sawfish-ui to get your (almost) familiar Sawfish configuration options.

No need to change window managers in Gnome, indeed! Bastards.

Note that the above worked for me, but I think it was playing with gconf-editor some too. I found the schemas section in gconf-editor, and I get the idea this may show all potential keys that whatever application has registered. Poking around in my GConf registry (*snicker* registry *snicker*) I found that Nautilus has a show_desktop key (or something like that) in its preferences “branch” (or whatever it’s called). I set that to 0 and no more stupid icons on my desktop. Of course… Nautilus went away too. I am not necessarily upset about this. I also found some Gnome default_window_manager key or something that I set to Sawfish. I have no idea what effect changing this key had, if any.

If you run a Half-Life server, it seems typing stuffcmds at the console is… bad. Type it on a full server and see what I mean. Sadist.

There are already errata for RH9.

The Creative Nomad Jukebox 3 is a hard disk MP3 player that has a digital input. It is capable of recording to WAV format at 48KHz. I find this cool. Unfortunately it is unsuitable for any kind of activity, due to its hard disk and too small buffer. The iPod supposedly has a big enough buffer so you can jog with it, but do you really want to jog with a hard disk? Sounds like a lot of stress on the disk. I’m almost resigned to getting a tiny MP3 player/FM radio with removable media for active stuff, and then getting a Nomad Jukebox 3 for recording. DAT is expensive, including portable DAT players. I wish MD would just allow me to get the digital audio off in a nice manner (with tracks boundaries, etc.)

I tried KDE for a bit, but found a few annoying things I decided I couldn’t live without. KWin had no option to show the dimensions of the window that was being resized (Sawfish does). I couldn’t see to get an alt-tab setting that worked like Sawfish (raise window temporarily, display name of window in the middle of the screen, alt-tab starts with the last window that had focus). The task bar boxes would fade out the text towards the edge of the box if the contents wouldn’t fit in the box. KDE is nice though. I used Konqueror extensively today, thanks to Andy’s suggestion. I liked it mostly, though I had a few problems. I suspect it is leaps and bounds better than Nautilus. I suggest Nautilus analyze this claim and, if found to be true, immediately surrender and start working on Konq. I also got freaked out when the KDE screen saver kept running after I started typing my password, and the CPU was apparently so loaded that KDE/X/someone was losing keystrokes. It made typing in my password tricky.

Actually, keep your mitts off of Konq. I’ve seen what some of you guys have done to the rest of Gnome. I think you’re all in league together. Just make everything else in Gnome integrate nicely with Konq.

Fonts in RH9 are very pretty.

I read all about the X-Files story arc at The Ultimate X-Files Information Complex. Unfortunately I found a bunch of stuff in The X-Files that was inconsistent and/or didn’t make sense. I read one person who said that Chris Carter made up the plot as he was going, pretty much. That ass bandit. Get your shit together, like the guy that made Babylon 5. We don’t need everyone walking around bleeding green. This was balanced out, somewhat, by learning that it is probable that Mulder and Scully got together. On one hand that’s kind of like giving in, but on the other hand… awwww. Yay.

Spring has strange effects on me. I suspect it does on other people too. Spring rolls around and you start thinking about love — or maybe just lust. You can get restless. You start thinking about the past, thinking about other people you’ve known. The change in climate is so drastic that it prods your brain to recall what you were doing and who you were with on the day spring broke through from every year in your past. It’s kind of nice. It makes me kind of crazy though. Sometimes I’m afraid I’ll snap, and Spring’s craziness doesn’t help.

I think that’s enough for tonight. I need to get e-mail working on my new RH9 box. Then maybe I’ll put FreeBSD on my old box.