Obsolete Your Idols

This may not help you. But this is what I did to get it working against our OpenBSD isakmpd VPN server. If you’re not using precisely the same configuration we are, this is going to be dead wrong. If you are using ‘Mutual RSA’ authentication, this might be suitable.

We have a nice CGI at work which takes your client hostname and spits out a zip file containing the SSL certs needed, the VPN.VPN site configuration file for a ShrewSoft client and some helper batch scripts. So that all works for Windows. Assuming that you’ve got all those pieces or the local equivalent, and you got Shrew Soft working from Windows, these are the frobs to turn for doing this on Ubuntu 10.04.

Here’s the catch for doing this on Ubuntu 10.04. You can’t do it with the packaged Shrew Soft client (packages named ike*) because that version doesn’t support the PolicyGeneration option you need to set. So uninstall any that you have installed.

Then go grab version 2.1.6-release or newer (depending upon degree of daring) from

http://www.shrew.net/download/ike

Compile it. This will require you to install the cmake, build-essential, flex, bison and libssl-dev packages. Maybe some others, but those are the big ones. The README.TXT in the ike source is helpful.

Import your VPN.VPN configuration.

Copy the contents of certs into ~/.ike/certs so the agent can find them.

Start  ‘iked’ by running it with sudo. Add the -F switch if you want to keep it foregrounded. (Until you’ve got it working, you want to keep it foregrounded.)

Start ‘ikea’. Edit your imported connection. Make these configuration changes:

• Name Resolution tab: uncheck Obtain Automatically, add a DNS server/suffix. There’s possibly something wrong with the  handling of DHCP, this should just work. I set a single DNS server and search domain explicitly and that worked well enough.
• Authentication tab, Remote Identity subtab: change Identification type to Fully Qualified Domain Name, FQDN String is whatever your VPN endpoint thinks its name is. This was ipv4-address in my configuration, the iked log output helped me fix this one. If you see messages from iked about it getting fqdn when it wanted ipv4 or vice-versa, this tab is where you fix expectations.
• Policy Tab, Policy Generation: shared. This is the connection option which was key and before 2.1.6, unavailable. The docs say this allows it to emulate some kind of wacky Cisco mode. I guess that’s what we need.

You may need to pound on various rp_filter sysctls but I’m not convinced that did anything in my case. If you packet capture and see reply traffic coming to you but never seeming to be received by your running clients, it may well be you need to set some rp_filter sysctl or other to 0.

So I didn’t finish NNWM2008, obviously.  I got to about 14k words and then I went to LISA and did only conference noting and then came back to my daily routine and tried to sustain the energy and ideas I got from LISA.

Things I have done since then, related:

1. started reading Tom Limoncelli’s very applicable Time Management for System Administrators
2. set up suspend to disk on my laptop using the uswsusp package
3. encrypted my swap partition using these handy instructions
4. encountered and worked around this bug in using cryptsetup

There’s always next year for National Novel Writing Month but the changes I’ve made instead seem more important to me.

So I upgraded the two laptops I use to Ubuntu 8.10 which has the friendly name of Intrepid Ibex.  Bold sounding, adventurous, able to scale and bound around on mountains.  One the laptop where I have a variant configuration (using ion3 instead of GNOME, for example) it hasn’t been a big difference.  Everything works at least as well as it did before, and it even seems more robust under some previously challenging load conditions.

The other laptop, the one with a totally default configuration, has been a big pain.  Wireless, never very reliable on it, has completely become unusable and I spent hours yesterday trying to uncover why.  The keyboard became bizarre and the perfectly functional set up under 8.04 required lots of Keyboard Layout fiddling to find something, anything, which would let me use anything more arcane than letters, shifted letters, and the control and enter keys in 8.10.  All of which has me thinking of things which might have been better names for 8.10.

• Irritating Insect
• Inconsistent Parakeet
• Incontinent Iguana
• Inauspicious Inchworm

Yeah, this is just noise.  I’ll keep using Ubuntu, I’m just annoyed at the number of regressions my laptop suffered by upgrading which I’ll have to spend time fixing because they’re core functionalities I actually use like, oh, having a network connection.  Or, you know, typing.