Difference between revisions of "IPSec"
From ProgClub
Line 1: | Line 1: | ||
IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see [[Projects]]. | IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see [[Projects]]. | ||
− | = Project status = | + | == Project status == |
Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up. | Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up. | ||
− | = Links = | + | == Links == |
− | == IPSec related information == | + | === IPSec related information === |
* [https://help.ubuntu.com/community/IPSecHowTo IPSecHowTo], these are the original instructions I followed. | * [https://help.ubuntu.com/community/IPSecHowTo IPSecHowTo], these are the original instructions I followed. | ||
Line 19: | Line 19: | ||
* [http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ NetBSD IPsec FAQ - IPSec FAQ] | * [http://www.netbsd.org/docs/network/ipsec/#IPsecFAQ NetBSD IPsec FAQ - IPSec FAQ] | ||
− | == IPTables related information == | + | === IPTables related information === |
* [http://serverfault.com/questions/78240/debugging-rules-in-iptables Debugging rules in Iptables (closed)] | * [http://serverfault.com/questions/78240/debugging-rules-in-iptables Debugging rules in Iptables (closed)] | ||
Line 26: | Line 26: | ||
* [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#LOGTARGET Iptables Tutorial 1.2.2 - LOG] | * [http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#LOGTARGET Iptables Tutorial 1.2.2 - LOG] | ||
− | == Racoon related information == | + | === Racoon related information === |
* [http://blog.moopsfc.com/37/2006/08/23/how-to-add-an-ipsec-connection-on-ubuntu-dapper/ how to add an ipsec connection on ubuntu dapper] | * [http://blog.moopsfc.com/37/2006/08/23/how-to-add-an-ipsec-connection-on-ubuntu-dapper/ how to add an ipsec connection on ubuntu dapper] | ||
* [http://manpages.ubuntu.com/manpages/lucid/man5/racoon.conf.5.html racoon.conf file format] | * [http://manpages.ubuntu.com/manpages/lucid/man5/racoon.conf.5.html racoon.conf file format] | ||
− | == TCP/IP related information == | + | === TCP/IP related information === |
* [http://www.faqs.org/rfcs/rfc793.html RFC 793 - Transmission Control Protocol] | * [http://www.faqs.org/rfcs/rfc793.html RFC 793 - Transmission Control Protocol] | ||
Line 38: | Line 38: | ||
* [http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC] | * [http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC] | ||
− | == Google searches == | + | === Google searches === |
* [http://www.google.com.au/search?q=allowing+ipsec+traffic+through+iptables&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a allowing ipsec traffic through iptables] | * [http://www.google.com.au/search?q=allowing+ipsec+traffic+through+iptables&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a allowing ipsec traffic through iptables] | ||
Line 51: | Line 51: | ||
* [http://www.google.com.au/search?hl=en&client=firefox-a&hs=BCh&rls=org.mozilla:en-US:official&sa=X&ei=n4QzToehLczrmAXbkYDxCg&ved=0CBoQvwUoAQ&q=ipsec+maximum+segment+size&spell=1&biw=1198&bih=672 ipsec maximum segment size] | * [http://www.google.com.au/search?hl=en&client=firefox-a&hs=BCh&rls=org.mozilla:en-US:official&sa=X&ei=n4QzToehLczrmAXbkYDxCg&ved=0CBoQvwUoAQ&q=ipsec+maximum+segment+size&spell=1&biw=1198&bih=672 ipsec maximum segment size] | ||
− | == Forums I've asked on == | + | === Forums I've asked on === |
* [http://stackoverflow.com/questions/6864229/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts] | * [http://stackoverflow.com/questions/6864229/getting-ipsec-tools-to-work-between-ubuntu-lucid-hosts StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts] | ||
Line 58: | Line 58: | ||
* [http://lists.progsoc.org/progsoc/2011-July/002488.html Asked at ProgSoc] | * [http://lists.progsoc.org/progsoc/2011-July/002488.html Asked at ProgSoc] | ||
− | = Offers of help! = | + | == Offers of help! == |
''Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.'' | ''Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.'' |
Revision as of 22:31, 9 August 2011
IPSec is a project to get IPSec working between hosts on the ProgClub network. For other projects see Projects.
Project status
Cancelled. Too hard. Didn't get IKE working with racoon, but that was no big deal, we only have three hosts so manual keying is no drama. Had SSH and HTTP connectivity after configuring MSS values of 200 in order to get IPSec packets through, prior to that they were being dropped; but couldn't get Kerberos connectivity. An MSS of 200 is really low, so there would have been perf issues. But, even an MSS of 100 wouldn't solve the Kerberos connectivity issue, so I give up.
Links
- IPSecHowTo, these are the original instructions I followed.
- Chapter 7. IPSEC: secure IP over the Internet
- ipsec and iptables
- managing IPsec packets with iptables
- IPsec-Tools Checklist
- (Solved!) UMA, IPSec Tunnels, and IPTables no worky...
- Linux Kernel 2.6 using KAME-tools
- NetBSD IPsec FAQ - Pitfalls
- NetBSD IPsec FAQ - IPSec FAQ
- Debugging rules in Iptables (closed)
- (solved) iptables : logging dropped packets
- netfilter/iptables log file format
- Iptables Tutorial 1.2.2 - LOG
- RFC 793 - Transmission Control Protocol
- Maximum segment size
- Maximum transmission unit
- Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC
Google searches
- allowing ipsec traffic through iptables
- configuring ipsec ubuntu
- iptables is dropping my ipsec packets
- iptables iptables IN=eth0 OUT= MAC=
- iptables log file format
- iptables dropping ipsec packets
- configuring ipsec-tools ubuntu
- disabling iptables ubuntu
- configuring racoon ubuntu
- ipsec maximum segment size
Forums I've asked on
- StackOverflow - Getting ipsec-tools to work between Ubuntu Lucid hosts
- Asked at Slicehost, and offered to pay for a solution
- ServerFault - Getting ipsec-tools to work between Ubuntu Lucid hosts
- Asked at ProgSoc
Offers of help!
Come ask me (Zanchey) on irc://irc.ucc.asn.au/ucc some time. I've just spent the last week fiddling with IPsec at the University Computer Club in WA.