Difference between revisions of "IPSec"

From ProgClub
Jump to: navigation, search
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
IPSec is a project to get IPSec working between hosts on the ProgClub network.
+
IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see [[Projects]].
  
Links for IPSec related information:
+
== Project status ==
 +
 
 +
Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up.
 +
 
 +
== Contributors ==
 +
 
 +
Members who have contributed to this project. Newest on top.
 +
 
 +
* [[User:John|John]]
 +
 
 +
All contributors have agreed to the terms of the [[ProgClub:Copyrights#ProgClub_projects|Contributor License Agreement]]. This excludes any upstream contributors who tend to have different administrative frameworks.
 +
 
 +
== Collaborators ==
 +
 
 +
The following people have helped, but don't have any claim on the project's copyright.
 +
 
 +
* The Slicehost support team
 +
* [[IPSec#Offers_of_help.21|Zanchey]]
 +
 
 +
== Copyright ==
 +
 
 +
Copyright 2011, [[IPSec#Contributors|Contributors]]. Licensed under the [[New BSD]] license.
 +
 
 +
== Links ==
 +
 
 +
=== IPSec related information ===
  
 
* [https://help.ubuntu.com/community/IPSecHowTo IPSecHowTo], these are the original instructions I followed.
 
* [https://help.ubuntu.com/community/IPSecHowTo IPSecHowTo], these are the original instructions I followed.
Line 9: Line 34:
 
* [http://ipsec-tools.sourceforge.net/checklist.html IPsec-Tools Checklist]
 
* [http://ipsec-tools.sourceforge.net/checklist.html IPsec-Tools Checklist]
 
* [http://forums.gentoo.org/viewtopic-t-860494-start-0.html (Solved!) UMA, IPSec Tunnels, and IPTables no worky...]
 
* [http://forums.gentoo.org/viewtopic-t-860494-start-0.html (Solved!) UMA, IPSec Tunnels, and IPTables no worky...]
 +
* [http://www.ipsec-howto.org/x299.html Linux Kernel 2.6 using KAME-tools]
 +
* [http://www.netbsd.org/docs/network/ipsec/#pitfalls NetBSD IPsec FAQ - Pitfalls]
 +
* [http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ NetBSD IPsec FAQ - IPSec FAQ]
 +
 +
=== IPTables related information ===
 +
 
* [http://serverfault.com/questions/78240/debugging-rules-in-iptables Debugging rules in Iptables (closed)]
 
* [http://serverfault.com/questions/78240/debugging-rules-in-iptables Debugging rules in Iptables (closed)]
 
* [http://forums.gentoo.org/viewtopic-t-845820-start-0.html (solved) iptables : logging dropped packets]
 
* [http://forums.gentoo.org/viewtopic-t-845820-start-0.html (solved) iptables : logging dropped packets]
 
* [http://www.linuxquestions.org/questions/linux-networking-3/netfilter-iptables-log-file-format-553556/ netfilter/iptables log file format]
 
* [http://www.linuxquestions.org/questions/linux-networking-3/netfilter-iptables-log-file-format-553556/ netfilter/iptables log file format]
 +
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#LOGTARGET Iptables Tutorial 1.2.2 - LOG]
 +
 +
=== Racoon related information ===
 +
 +
* [http://blog.moopsfc.com/37/2006/08/23/how-to-add-an-ipsec-connection-on-ubuntu-dapper/ how to add an ipsec connection on ubuntu dapper]
 +
* [http://manpages.ubuntu.com/manpages/lucid/man5/racoon.conf.5.html racoon.conf file format]
 +
 +
=== TCP/IP related information ===
 +
 
* [http://www.faqs.org/rfcs/rfc793.html RFC 793 - Transmission Control Protocol]
 
* [http://www.faqs.org/rfcs/rfc793.html RFC 793 - Transmission Control Protocol]
* [http://www.ipsec-howto.org/x299.html Linux Kernel 2.6 using KAME-tools]
 
* [http://www.netbsd.org/docs/network/ipsec/#pitfalls NetBSD IPsec FAQ - Pitfalls]
 
* [http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ NetBSD IPsec FAQ - IPSec FAQ]
 
 
* [http://en.wikipedia.org/wiki/Maximum_segment_size Maximum segment size]
 
* [http://en.wikipedia.org/wiki/Maximum_segment_size Maximum segment size]
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#LOGTARGET Iptables Tutorial 1.2.2 - LOG]
+
* [http://en.wikipedia.org/wiki/Maximum_transmission_unit Maximum transmission unit]
 +
* [http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC]
  
Google searches:
+
=== Google searches ===
  
 
* [http://www.google.com.au/search?q=allowing+ipsec+traffic+through+iptables&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a allowing ipsec traffic through iptables]
 
* [http://www.google.com.au/search?q=allowing+ipsec+traffic+through+iptables&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a allowing ipsec traffic through iptables]
Line 29: Line 67:
 
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=2h9&rls=org.mozilla%3Aen-US%3Aofficial&channel=np&q=configuring+ipsec-tools+ubuntu&oq=configuring+ipsec-tools+ubuntu&aq=f&aqi=&aql=&gs_sm=e&gs_upl=66648l67615l0l67878l6l6l0l0l0l0l223l896l1.3.2l6l0 configuring ipsec-tools ubuntu]
 
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=2h9&rls=org.mozilla%3Aen-US%3Aofficial&channel=np&q=configuring+ipsec-tools+ubuntu&oq=configuring+ipsec-tools+ubuntu&aq=f&aqi=&aql=&gs_sm=e&gs_upl=66648l67615l0l67878l6l6l0l0l0l0l223l896l1.3.2l6l0 configuring ipsec-tools ubuntu]
 
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=QLw&rls=org.mozilla%3Aen-US%3Aofficial&q=disabling+iptables+ubuntu&oq=disabling+iptables+ubuntu&aq=f&aqi=g-b1&aql=&gs_sm=e&gs_upl=920133l921565l0l921817l7l4l0l0l0l0l726l1653l2-1.2.6-1l4l0 disabling iptables ubuntu]
 
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=QLw&rls=org.mozilla%3Aen-US%3Aofficial&q=disabling+iptables+ubuntu&oq=disabling+iptables+ubuntu&aq=f&aqi=g-b1&aql=&gs_sm=e&gs_upl=920133l921565l0l921817l7l4l0l0l0l0l726l1653l2-1.2.6-1l4l0 disabling iptables ubuntu]
 +
* [http://www.google.com.au/search?q=configuring%20racoon%20ubuntu&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&source=hp&channel=np configuring racoon ubuntu]
 +
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=BCh&rls=org.mozilla:en-US:official&sa=X&ei=n4QzToehLczrmAXbkYDxCg&ved=0CBoQvwUoAQ&q=ipsec+maximum+segment+size&spell=1&biw=1198&bih=672 ipsec maximum segment size]
  
Forums I've asked on:
+
=== Forums I've asked on ===
  
 
* [http://stackoverflow.com/questions/6864229/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts]
 
* [http://stackoverflow.com/questions/6864229/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts]
* [http://forum.slicehost.com/comments.php?DiscussionID=5312&page=1#Item_1 Asked], and [http://forum.slicehost.com/comments.php?DiscussionID=5313&page=1#Item_1 Offered to pay for a solution]
+
* [http://forum.slicehost.com/comments.php?DiscussionID=5312&page=1#Item_1 Asked at Slicehost], and [http://forum.slicehost.com/comments.php?DiscussionID=5313&page=1#Item_1 offered to pay for a solution]
* [http://serverfault.com/questions/295577/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts Server Fault - Getting ipsec-tools to work between Ubuntu Lucid hosts]
+
* [http://serverfault.com/questions/295577/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts ServerFault - Getting ipsec-tools to work between Ubuntu Lucid hosts]
 +
* [http://lists.progsoc.org/progsoc/2011-July/002488.html Asked at ProgSoc]
 +
 
 +
== TODO ==
 +
 
 +
* It'd be just dandy if we could get to the bottom of why it doesn't work
 +
 
 +
== Done ==
 +
 
 +
IPSec was configured on [[charity]], [[hope]] and [[honesty]], and by setting the MSS to 200 for each IP we were able to get SSH and HTTP connectivity (before that only ICMP echo traffic was getting though), but even the MSS hack didn't solve the Kerberos connectivity problem, so IPSec was abandoned. We trialed racoon, but that only made things worse (no connectivity).
 +
 
 +
== Offers of help! ==
 +
 
 +
''Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.''

Latest revision as of 17:30, 22 August 2011

IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see Projects.

Project status

Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up.

Contributors

Members who have contributed to this project. Newest on top.

All contributors have agreed to the terms of the Contributor License Agreement. This excludes any upstream contributors who tend to have different administrative frameworks.

Collaborators

The following people have helped, but don't have any claim on the project's copyright.

Copyright

Copyright 2011, Contributors. Licensed under the New BSD license.

Links

IPSec related information

IPTables related information

Racoon related information

TCP/IP related information

Google searches

Forums I've asked on

TODO

  • It'd be just dandy if we could get to the bottom of why it doesn't work

Done

IPSec was configured on charity, hope and honesty, and by setting the MSS to 200 for each IP we were able to get SSH and HTTP connectivity (before that only ICMP echo traffic was getting though), but even the MSS hack didn't solve the Kerberos connectivity problem, so IPSec was abandoned. We trialed racoon, but that only made things worse (no connectivity).

Offers of help!

Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.