Hope admin

From ProgClub
Revision as of 18:00, 5 August 2011 by John (talk | contribs)
Jump to: navigation, search

This page chronicles the administrative changes to hope.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative Reference for other information.

John 2011-08-05 16:59

Disabling IPSec

Can't get it to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.

John 2011-08-04 23:38

Installing Kerberos client

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install krb5-user krb5-config
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libgssrpc4 libisc60
  libisccc60 libisccfg60 libkadm5clnt-mit7 liblwres60
Suggested packages:
  geoip-bin krb5-doc
The following NEW packages will be installed:
  bind9-host geoip-database krb5-config krb5-user libbind9-60 libdns64
  libgeoip1 libgssrpc4 libisc60 libisccc60 libisccfg60 libkadm5clnt-mit7
  liblwres60
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 2161kB of archives.
After this operation, 5325kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB]
Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libisc60 1:9.7.0.dfsg.P1-1 [169kB]
Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libdns64 1:9.7.0.dfsg.P1-1 [690kB]
Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libisccc60 1:9.7.0.dfsg.P1-1 [29.4kB]
Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libisccfg60 1:9.7.0.dfsg.P1-1 [52.6kB]
Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libbind9-60 1:9.7.0.dfsg.P1-1 [34.1kB]
Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main liblwres60 1:9.7.0.dfsg.P1-1 [47.9kB]
Get:8 http://archive.ubuntu.com/ubuntu/ lucid/main bind9-host 1:9.7.0.dfsg.P1-1 [68.2kB]
Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB]
Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB]
Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main libgssrpc4 1.8.1+dfsg-2 [81.4kB]
Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main libkadm5clnt-mit7 1.8.1+dfsg-2 [62.0kB]
Get:13 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-user 1.8.1+dfsg-2 [137kB]
Fetched 2161kB in 2s (891kB/s)
Preconfiguring packages ...
Selecting previously deselected package libgeoip1.
(Reading database ... 15611 files and directories currently installed.)
Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ...
Selecting previously deselected package libisc60.
Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libdns64.
Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccc60.
Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libisccfg60.
Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package libbind9-60.
Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package liblwres60.
Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package bind9-host.
Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1_amd64.deb) ...
Selecting previously deselected package geoip-database.
Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ...
Selecting previously deselected package krb5-config.
Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ...
Selecting previously deselected package libgssrpc4.
Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package libkadm5clnt-mit7.
Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2_amd64.deb) ...
Selecting previously deselected package krb5-user.
Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2_amd64.deb) ...
Processing triggers for man-db ...
Setting up libgeoip1 (1.4.6.dfsg-17) ...

Setting up libisc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libdns64 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccc60 (1:9.7.0.dfsg.P1-1) ...

Setting up libisccfg60 (1:9.7.0.dfsg.P1-1) ...

Setting up libbind9-60 (1:9.7.0.dfsg.P1-1) ...

Setting up liblwres60 (1:9.7.0.dfsg.P1-1) ...

Setting up bind9-host (1:9.7.0.dfsg.P1-1) ...
Setting up geoip-database (1.4.6.dfsg-17) ...
Setting up krb5-config (2.2) ...

Setting up libgssrpc4 (1.8.1+dfsg-2) ...

Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2) ...

Setting up krb5-user (1.8.1+dfsg-2) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
added krb5.conf
Committed revision 13.
Package configuration



┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ When users attempt to use Kerberos and specify a principal or user name   │
│ without specifying what administrative Kerberos realm that principal      │
│ belongs to, the system appends the default realm.  The default realm may  │
│ also be used as the realm of a Kerberos service running on the local      │
│ machine.  Often, the default realm is the uppercase version of the local  │
│ DNS domain.                                                               │
│                                                                           │
│ Default Kerberos version 5 realm:                                         │
│                                                                           │
│ PROGCLUB.ORG_____________________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
Package configuration





  ┌────────────────┤ Configuring Kerberos Authentication ├─────────────────┐
  │ Enter the hostnames of Kerberos servers in the PROGCLUB.ORG Kerberos   │
  │ realm separated by spaces.                                             │
  │                                                                        │
  │ Kerberos servers for your realm:                                       │
  │                                                                        │
  │ kerberos.progclub.org_________________________________________________ │
  │                                                                        │
  │                                 <Ok>                                   │
  │                                                                        │
  └────────────────────────────────────────────────────────────────────────┘
Package configuration





┌──────────────────┤ Configuring Kerberos Authentication ├──────────────────┐
│ Enter the hostname of the administrative (password changing) server for   │
│ the PROGCLUB.ORG Kerberos realm.                                          │
│                                                                           │
│ Administrative server for your Kerberos realm:                            │
│                                                                           │
│ kerberos.progclub.org____________________________________________________ │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘

John 2011-07-30 18:05

Configuring IPSec

jj5@hope:~$ sudo -s
[sudo] password for jj5:
root@hope:~# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Committing to: /etc/
modified ipsec-tools.conf
modified ipsec-tools.conf.bak
added iptables.up.rules
Committed revision 10.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15611 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# cd /etc/network/if-pre-up.d/
root@hope:/etc/network/if-pre-up.d# ll
total 12
drwxr-xr-x 2 root root 4096 Apr 22  2010 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
root@hope:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
root@hope:/etc/network/if-pre-up.d# vim ip
#!/bin/sh
# Charity
ip route add 67.207.128.184 dev eth0 advmss 200
# Honesty
ip route add 67.207.129.103 dev eth0 advmss 200
root@hope:/etc/network/if-pre-up.d# chmod +x iptables ip
root@hope:/etc/network/if-pre-up.d# ll
total 20
drwxr-xr-x 2 root root 4096 Jul 30 08:11 ./
drwxr-xr-x 6 root root 4096 Apr 22  2010 ../
-rwxr-xr-x 1 root root  348 Dec 21  2009 ethtool*
-rwxr-xr-x 1 root root  126 Jul 30 08:11 ip*
-rwxr-xr-x 1 root root   58 Jul 30 08:09 iptables*
root@hope:/etc/network/if-pre-up.d# cd /etc
root@hope:/etc# vim iptables.up.rules
*filter
#  Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT
# Drop all traffic to 127/8 that does use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#  Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Accept anything from charity
-A INPUT -s 67.207.128.184 -j ACCEPT
# Accept anything from honesty
-A INPUT -s 67.207.129.103 -j ACCEPT
# Allow MySQL connections from John's house
-A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow MySQL connections from localhost
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
root@hope:/etc# vim ipsec-tools.conf
# Hope/Charity security policy
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
# Hope/Honesty security policy
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc# vim racoon/psk.txt
# Charity
67.207.128.184 <secret>
# Honesty
67.207.129.103 <secret>
root@hope:/etc# ll racoon/psk.txt
-rw------- 1 root root 95 Jul 30 08:21 racoon/psk.txt
root@hope:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo anonymous {
       pfs_group modp768;
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}
#log debug2;
root@hope:/etc# vim racoon/racoon.conf
root@hope:/etc# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
modified iptables.up.rules
added network/if-pre-up.d/ip
added network/if-pre-up.d/iptables
modified racoon/psk.txt
modified racoon/racoon.conf
Committed revision 11.
root@hope:/etc# /etc/network/if-pre-up.d/ip
RTNETLINK answers: File exists

That ought to do it!

...it didn't do it.

root@hope:~# apt-get remove racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  racoon
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 1217kB disk space will be freed.
Do you want to continue [Y/n]?
(Reading database ... 15675 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=24 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# dd if=/dev/random count=20 bs=1| xxd -ps
root@hope:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
        0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.130.204 67.207.129.103 any -P out ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.129.103 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
root@hope:~# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:~# cd /etc/network
root@hope:/etc/network# ls
if-down.d  if-post-down.d  if-pre-up.d  if-up.d  interfaces
root@hope:/etc/network# mv if-pre-up.d/ip if-up.d/
root@hope:/etc/network# if-up.d/ip
root@hope:/etc# etckeeper commit "Configured IPSec"
Committing to: /etc/
modified ipsec-tools.conf
missing network/if-pre-up.d/ip
modified network/if-pre-up.d/ip
added network/if-up.d/ip
Committed revision 12.

The other end of the connections have been configured on charity and honesty.

Works!

John 2011-07-30 09:45

Configuring racoon

See the Charity Admin section for the other half of the configuration.

# vim /etc/racoon/psk.txt
# Charity
67.207.128.184 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.128.184 {
       exchange_mode main,aggressive;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
       generate_policy off;
}
sainfo address 67.207.128.184[any] any address 67.207.128.184/32[any] any {
       pfs_group modp768;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
       esp/transport//require
       ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
       esp/transport//require
       ah/transport//require;
root@hope:/etc/racoon# /etc/init.d/racoon stop
Stopping IKE (ISAKMP/Oakley) server: racoon.
root@hope:/etc/racoon# /etc/init.d/setkey restart
Reloading IPsec SA/SP database: done.
root@hope:/etc/racoon# /etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

John 2011-07-30 01:49

Adding user jj5

I had hoped to have LDAP and SSO operational before adding users to the any user machines, but it looks like there's nothing for it. Debuggin IPSec is a pain, and I need to login to hope all the time, and I'm sick of typing in the long random root password.

root@hope:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
        Full Name []: John Elliot
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]
root@hope:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo

John 2011-07-30 00:04

Installing racoon

Having some trouble with IPSec, going to try using racoon.

root@hope:/etc# apt-get install racoon
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  racoon
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 433kB of archives.
After this operation, 1217kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB]
Fetched 433kB in 1s (377kB/s)
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
added ipsec-tools.conf.bak
Committed revision 7.
Preconfiguring packages ...
Selecting previously deselected package racoon.
(Reading database ... 15606 files and directories currently installed.)
Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up racoon (1:0.7.1-1.6ubuntu1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added racoon
added default/racoon
added init.d/racoon
added racoon/psk.txt
added racoon/racoon-tool.conf
added racoon/racoon.conf
added rc1.d/K89racoon
added rcS.d/S40racoon
Committed revision 8.

The install prompted for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.

 ┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐
 │ Racoon can be configured two ways, either by directly editing            │
 │ /etc/racoon/racoon.conf or using the racoon-tool administrative front    │
 │ end. racoon-tool is now deprecated and is only available for backward    │
 │ compatibility. New installations should always use the "direct" method.  │
 │                                                                          │
 │ Configuration mode for racoon IKE daemon.                                │
 │                                                                          │
 │                               direct                                     │
 │                               racoon-tool                                │
 │                                                                          │
 │                                                                          │
 │                                  <Ok>                                    │
 │                                                                          │
 └──────────────────────────────────────────────────────────────────────────┘

John 2011-07-29 00:13

Installing IPSec

# apt-get install ipsec-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ipsec-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 111kB of archives.
After this operation, 274kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB]
Fetched 111kB in 0s (157kB/s)
Selecting previously deselected package ipsec-tools.
(Reading database ... 15571 files and directories currently installed.)
Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
Committing to: /etc/
modified .etckeeper
added ipsec-tools.conf
added default/setkey
added init.d/setkey
added rcS.d/S37setkey
Committed revision 2.
# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
# Flush the SAD and SPD
flush;
spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
        0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
        0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
        0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
        0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
        esp/transport//require
        ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
        esp/transport//require
        ah/transport//require;
# sudo chmod 750 /etc/ipsec-tools.conf
# sudo /etc/init.d/setkey start
* Loading IPsec SA/SP database from /etc/ipsec-tools.conf:              [ OK ]
$ sudo etckeeper commit "Configured IPSec between charity and hope"
Committing to: /etc/
modified .etckeeper
modified ipsec-tools.conf
Committed revision 3.

Done!

John 2011-07-29 00:12

Installing Etckeeper

Per the instructions,

# apt-get install etckeeper

That was it. The output was too extensive to report here.

John 2011-07-25 19:41

The hope.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.