Difference between revisions of "IPSec"
(5 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
Members who have contributed to this project. Newest on top. | Members who have contributed to this project. Newest on top. | ||
− | |||
− | |||
* [[User:John|John]] | * [[User:John|John]] | ||
+ | |||
+ | All contributors have agreed to the terms of the [[ProgClub:Copyrights#ProgClub_projects|Contributor License Agreement]]. This excludes any upstream contributors who tend to have different administrative frameworks. | ||
+ | |||
+ | == Collaborators == | ||
+ | |||
+ | The following people have helped, but don't have any claim on the project's copyright. | ||
+ | |||
+ | * The Slicehost support team | ||
+ | * [[IPSec#Offers_of_help.21|Zanchey]] | ||
+ | |||
+ | == Copyright == | ||
+ | |||
+ | Copyright 2011, [[IPSec#Contributors|Contributors]]. Licensed under the [[New BSD]] license. | ||
== Links == | == Links == | ||
Line 65: | Line 76: | ||
* [http://serverfault.com/questions/295577/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts ServerFault - Getting ipsec-tools to work between Ubuntu Lucid hosts] | * [http://serverfault.com/questions/295577/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts ServerFault - Getting ipsec-tools to work between Ubuntu Lucid hosts] | ||
* [http://lists.progsoc.org/progsoc/2011-July/002488.html Asked at ProgSoc] | * [http://lists.progsoc.org/progsoc/2011-July/002488.html Asked at ProgSoc] | ||
+ | |||
+ | == TODO == | ||
+ | |||
+ | * It'd be just dandy if we could get to the bottom of why it doesn't work | ||
+ | |||
+ | == Done == | ||
+ | |||
+ | IPSec was configured on [[charity]], [[hope]] and [[honesty]], and by setting the MSS to 200 for each IP we were able to get SSH and HTTP connectivity (before that only ICMP echo traffic was getting though), but even the MSS hack didn't solve the Kerberos connectivity problem, so IPSec was abandoned. We trialed racoon, but that only made things worse (no connectivity). | ||
== Offers of help! == | == Offers of help! == | ||
''Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.'' | ''Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.'' |
Latest revision as of 17:30, 22 August 2011
IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see Projects.
Project status
Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up.
Contributors
Members who have contributed to this project. Newest on top.
All contributors have agreed to the terms of the Contributor License Agreement. This excludes any upstream contributors who tend to have different administrative frameworks.
Collaborators
The following people have helped, but don't have any claim on the project's copyright.
- The Slicehost support team
- Zanchey
Copyright
Copyright 2011, Contributors. Licensed under the New BSD license.
Links
- IPSecHowTo, these are the original instructions I followed.
- Chapter 7. IPSEC: secure IP over the Internet
- ipsec and iptables
- managing IPsec packets with iptables
- IPsec-Tools Checklist
- (Solved!) UMA, IPSec Tunnels, and IPTables no worky...
- Linux Kernel 2.6 using KAME-tools
- NetBSD IPsec FAQ - Pitfalls
- NetBSD IPsec FAQ - IPSec FAQ
- Debugging rules in Iptables (closed)
- (solved) iptables : logging dropped packets
- netfilter/iptables log file format
- Iptables Tutorial 1.2.2 - LOG
- RFC 793 - Transmission Control Protocol
- Maximum segment size
- Maximum transmission unit
- Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC
Google searches
- allowing ipsec traffic through iptables
- configuring ipsec ubuntu
- iptables is dropping my ipsec packets
- iptables iptables IN=eth0 OUT= MAC=
- iptables log file format
- iptables dropping ipsec packets
- configuring ipsec-tools ubuntu
- disabling iptables ubuntu
- configuring racoon ubuntu
- ipsec maximum segment size
Forums I've asked on
- StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts
- Asked at Slicehost, and offered to pay for a solution
- ServerFault - Getting ipsec-tools to work between Ubuntu Lucid hosts
- Asked at ProgSoc
TODO
- It'd be just dandy if we could get to the bottom of why it doesn't work
Done
IPSec was configured on charity, hope and honesty, and by setting the MSS to 200 for each IP we were able to get SSH and HTTP connectivity (before that only ICMP echo traffic was getting though), but even the MSS hack didn't solve the Kerberos connectivity problem, so IPSec was abandoned. We trialed racoon, but that only made things worse (no connectivity).
Offers of help!
Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.