NFS/LTSP, L2TP-over-IPSec, RH9 so far

ardent was nice enough to remind me that I hadn’t made an entry in a while. Indeed, I think Movable Type moved all entries off my front page, which actually made my front page unusable and nasty. I had to search Google for some stuff I was trying to find in my own web log; how embarrassing. Thanks ardent.

Want some tips? How’s this: when using NFS, at least NFS booting from an LTSP client, put the client’s IP in /etc/hosts. Symptom of the client’s IP (which might be obtained from DHCP, so put an entry for every IP in the range in /etc/hosts) not being in /etc/hosts is the client sending a storm (flood, spam, search engines pick up these words please!) of NFS mount requests to your server, and probably some lines about “authenticated mount request” in /var/log/messages. My LTSP clients were just sitting there at “mounting root filesystem” or something like that. The server would get massively slow because it was being flooded with packets so quickly. Network traffic over those ports? Forget about it while the NFS mount request flood is happening. This one took me a while to figure out; thanks to dh.

More tips. I’m trying the VPN thing once again. Someone wants your typical “road warrior” VPN configuration. Now I’m trying L2TP-over-IPSec, which is apparently supported by Windows 2000 and Windows XP out of the box. Additionally, MS distributes a client for Win95/98/ME to do it. L2TP-over-IPSec seems kind of silly to me – and to others — primarily because it’s like we’re encapsulating PPP in L2TP in IPSec, or something like that. It’s just a bunch of shit that doesn’t need to be in the way. Win2k generates this “automatic” IPSec policy when it goes to set up an L2TP connection. (You can disable this automatic policy by creating the registry key My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ProhibitIpSec as a REG_DWORD value and setting it to 1. I did this when I was playing with creating my own IPSec policies.) When FreeS/WAN gets a connection from an L2TP/IPSec client that’s being NATed, it says it’s getting a rightsubnet (assuming the server is left and the road warrior is right) parameter of <private ip>/32 where <private ip> is the client’s internal address. I am told by the nice people on #freeswan (FreeNode) that this is a result of IPSec “passthru” [sic]. The way to get around this is to use the X.509 patch — which you supposedly have to use with Win2k L2TP anyway because it doesn’t support PSK — and add a parameter like rightsubnetwithin=0/0 to your /etc/ipsec.conf. This tells FreeS/WAN that a rightsubnet matching 0/0 (a.k.a. anything) is just fine. The connection gets matched, your IPSec session sets up, and now you can worry about how the fuck you’re going to get l2tpd or rp-lt2p up and running.

I haven’t even gotten to the point of the L2TP server software setup yet. It’s going to require me dicking with pppd, it looks like. I never liked pppd much; we confused each other a lot. IP allocation, if you’re in to that sort of thing, looks like a pain with L2TP as well. None of the Linux solutions seem to support anything spiffy, if anything at all, directly from the daemon. Apparently pppd doesn’t even help you much here. It sounds like your options are using RADIUS and the pppd RADIUS plug-in, or maybe DHCP and the newer DHCP pppd plug-in. I’m quite tempted to just hack around in l2tpd myself. I’ll tell you this much: I’m not running dhcpd in an instance of UML. That is just silly.

I’ve been using RH9 as my main desktop now for a week or two. Or something like that. I haven’t touched my old RH box in that time, really, so I think that means it’s probably safe to format. I like RH9. The fonts seem to get kind of blurry to you sometimes, and you feel like maybe you’ve had too much nice looking fonts or something. Like maybe they’re too nice looking. I hooked up with the freshrpms.net APT repository yesterday, and it updated my shit nicely. (I notice that the new glibc updates for both RH 8.0 and 9.0 do a restart of the sshd service.) The fact that Mozilla seems to have two clipboard (one with middle mouse button, one with shift-insert) is bugging me; not a RH9 issue, but just something I thought of. I think I’m having some issues with gnome-terminal and selections; it seems like it’s too greedy, especially with double clicking to select entire words and such. I also had to turn off the blinking cursor, since sometimes a window’s cursor would get “stuck blinking” and keep blinking even when it had lost focus, which was distracting. Other than that, I can’t think of anything major to report.

I’m up doing remote support for an all night install at four car dealerships in Gastonia tonight. I forgot to do the /etc/hosts trick on one of their LTSP servers, which is what made me think of that. I’m also trying dhcrelay for the first time. I’ll note that Reynolds and Reynolds seems to be using Linux (RH 7.1 on the box I found) for some of their products.

Maybe I’ll try and get some sleep at some point.