Topdog.za.net http://www.topdog.za.net A bored sysadmin Fri, 26 Feb 2016 10:06:56 GMT Blogofile hourly 1 Testing SSL client certificate authentication with curl http://www.topdog.za.net/2013/03/28/testing-ssl-client-certificate-authentication-with-curl Thu, 28 Mar 2013 07:40:00 SAST http://www.topdog.za.net/2013/03/28/testing-ssl-client-certificate-authentication-with-curl Testing SSL client certificate authentication with curl When using SSL client certificate authentication you may need to test it using command line tools.

To do so run the following command:

curl -v -s -k --key client.key --cert client.pem https://servername

Thats it.

]]> Setup a OpenVPN server on Centos 6 http://www.topdog.za.net/2013/02/02/setup-a-openvpn-server-on-centos-6 Sat, 02 Feb 2013 07:40:00 SAST http://www.topdog.za.net/2013/02/02/setup-a-openvpn-server-on-centos-6 Setup a OpenVPN server on Centos 6 EPEL Repository

OpenVPN 2 is available for Centos from the EPEL repository, so you need to have EPEL enabled.

If you do not have EPEL enabled run:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Installation

To install OpenVPN run:

yum install openvpn lzo -y

Configuration

Setup the SSL CA and keys:

cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/open-rsa

Create and customize the vars file /etc/openvpn/open-rsa/vars, Make sure you change the KEY_ values to your own settings

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/etc/openvpn/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="ZA"
export KEY_PROVINCE="Gauteng"
export KEY_CITY="Johannesburg"
export KEY_ORG="Topdog-software"
export KEY_EMAIL="andrew@topdog.za.net"
export KEY_CN="Topdog-software OpenVPN CA"
export KEY_NAME="tdss"
export KEY_OU="Topdog-software"

Create the keys directory:

mkdir /etc/openvpn/keys

Create the CA:

cd /etc/openvpn/open-rsa
source ./vars
./clean-all
./build-ca

Create the servers SSL certificate (replace vpn.home.topdog-software.com with name of your server):

./build-key-server vpn.home.topdog-software.com

Generate Diffie Hellman parameters:

./build-dh

Create the leases file:

touch /etc/openvpn/ipp.txt

Create the configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/vpn.home.topdog-software.com.crt
key keys/vpn.home.topdog-software.com.key
dh keys/dh1024.pem
cipher AES-128-CBC
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

Create iptables rules to allow traffic through:

*filter
..
..
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT

Enable packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Make it permanent add the following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Your OpenVPN should be ready to go, start OpenVPN:

service openvpn start

Client configuration

Each client requires a certificate & key pairing, lets create one:

./build-key client1.home.topdog-software.com

Copy the client1.home.topdog-software.com.crt, ca.crt and client1.home.topdog-software.com.key files to the OpenVPN keys directory on the client.

Create the client OpenVPN configuration /etc/openvpn/server.conf:

remote vpn.home.topdog-software.com 1194
client 
remote-cert-tls server 
dev tun0 
proto udp
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
float 
ca keys/ca.crt 
cert keys/client1.home.topdog-software.com.crt
key keys/client1.home.topdog-software.com.key
cipher AES-128-CBC
comp-lzo
status /var/log/openvpn-client.log

Static addresses

If you want some clients to get static addresses:

mkdir /etc/openvpn/ccd

Create a client file for each of the clients you want to get a static address in /etc/openvpn/ccd the file name should match the CN in the client certificate.

ifconfig-push 10.0.0.2 10.0.0.1
]]> Centos 6 Bonded network interfaces http://www.topdog.za.net/2013/02/01/centos-6-bonded-network-interfaces Fri, 01 Feb 2013 07:40:00 SAST http://www.topdog.za.net/2013/02/01/centos-6-bonded-network-interfaces Centos 6 Bonded network interfaces Bonding allows you to aggregate multiple ports, providing redundancy, fault tolerance and load balancing.

There are various types of bonding available but i will show how to bond in mode 1 which is active-backup. If your interested in the other available types please refer to the documentation.

In this setup i have two connections to different switches in case one fails the other takes over and services are not disrupted.

Setup bonded interface

Create a file in /etc/modprobe.d called bond.conf and add the following

alias bond0 bonding

Create the bonded interface file /etc/sysconfig/network-scripts/ifcfg-bond0 with the following contents

DEVICE=bond0
IPADDR=xxx.xxx.xxx.xxx
NETMASK=xxx.xxx.xxx.xxx
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="bond0 miimon=80 mode=1"

Modify the interfaces you want to bond to look like:

DEVICE=ethX
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
MASTER=bond0
SLAVE=yes

Restart networking for the changes to take effect:

service network restart

Checking the status

You can check the status of the interface by running:

cat /proc/net/bonding/bond0
]]> Commandline OpenVPN client on Mac OSX with macports http://www.topdog.za.net/2013/01/31/commandline-openvpn-client-on-mac-osx-with-macports Thu, 31 Jan 2013 07:40:00 SAST http://www.topdog.za.net/2013/01/31/commandline-openvpn-client-on-mac-osx-with-macports Commandline OpenVPN client on Mac OSX with macports Most people use TunnelBrick to setup OpenVPN client connections on Mac OSX, i prefer using the command line.

To get OpenVPN up and running off the command line is a simple process. The commands below need to be run as a privileged user if your root account is not enabled use sudo to run the commands.

Install OpenVPN

To install OpenVPN 2 from macports run:

port install openvpn2

Install TunTap

To install TunTap from macports run:

port install tuntaposx

Configure it to startup at boot:

launchctl load -w /Library/LaunchDaemons/org.macports.tuntaposx.plist

You need TunTap as it allows you to create virtual interfaces using the supplied kernel extensions. If you don't install TunTap you will get the error Cannot allocate TUN/TAP dev dynamically when you try and make a OpenVPN connection.

Configuration

Create a directory to hold your configuration and keys.

mkdir /opt/local/etc/openvpn

Place your keys and configuration files in /opt/local/etc/openvpn/

A sample client configuration is provided below.

client
dev tun
proto udp
remote vpn.home.topdog-software.com 1194
nobind
resolv-retry infinite
tls-client
ca /opt/local/etc/openvpn/ca.crt
cert /opt/local/etc/openvpn/client.crt
key /opt/local/etc/openvpn/client.key
ns-cert-type server
cipher BF-CBC
tls-cipher DHE-RSA-AES256-SHA
tls-remote vpn.home.topdog-software.com
tls-auth /opt/local/etc/openvpn/tls-auth.key 1
remote-cert-tls server
comp-lzo
persist-key
persist-tun
mute-replay-warnings
verb 3
mlock

Connecting

To connect simply run:

openvpn2 --config /opt/local/etc/openvpn/openvpn.conf
]]> Automating translation of software using the Microsoft Translator and Python http://www.topdog.za.net/2013/01/25/automating-translation-of-software-using-the-microsoft-translator-and-python Fri, 25 Jan 2013 07:40:00 SAST http://www.topdog.za.net/2013/01/25/automating-translation-of-software-using-the-microsoft-translator-and-python Automating translation of software using the Microsoft Translator and Python The Microsoft translator provides an API that you can use for automated translation. It currently supports about 39 languages.

True to the nature of open source i found that someone had already written a python wrapper to the API. I extended the wrapper to use the requests and pofile packages.

My extended script is able to read gettext Portable Object PO source files and translate the strings and write the translations back into PO files, here by automating the whole translation process.

Source

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# vim: ai ts=4 sts=4 et sw=4

"""Automatic translation using m$ translator
    :copyright: 2012 Andrew Colin Kissa
    :copyright: 2011 by Openlabs Technologies & Consulting (P) Limited
    :license: BSD, see LICENSE for more details.
"""

import os
import re
import json
import time
import urllib
import logging
import datetime

import requests

from optparse import OptionParser

from polib import pofile

__all__ = ['Translator', 'TranslateApiException']

class ArgumentException(Exception):
    """Argument"""
    def __init__(self, message):
        self.message = message.replace('ArgumentException: ', '')
        super(ArgumentException, self).__init__(self.message)

class ArgumentOutOfRangeException(Exception):
    """ArgumentOutOfRange"""
    def __init__(self, message):
        self.message = message.replace('ArgumentOutOfRangeException: ', '')
        super(ArgumentOutOfRangeException, self).__init__(self.message)

class TranslateApiException(Exception):
    """TranslateApi"""
    def __init__(self, message, *args):
        self.message = message.replace('TranslateApiException: ', '')
        super(TranslateApiException, self).__init__(self.message, *args)

class Translator(object):
    """Implements AJAX API for the Microsoft Translator service
    
    """
    lang_url = 'http://api.microsofttranslator.com/V2/Ajax.svc/GetLanguagesForTranslate'
    oauth_url = 'https://datamarket.accesscontrol.windows.net/v2/OAuth2-13'
    translate_url = "http://api.microsofttranslator.com/V2/Ajax.svc/Translate"
    translate_array_url = "http://api.microsofttranslator.com/V2/Ajax.svc/TranslateArray"

    def __init__(self, client_id, client_secret,
            scope="http://api.microsofttranslator.com", debug=False):
        """

        :param client_id: The client ID that you specified when you registered
                          your application with Azure DataMarket.
        :param client_secret: The client secret value that you obtained when
                              you registered your application with Azure
                              DataMarket.
        :param scope: Defaults to http://api.microsofttranslator.com
        :param debug: If true, the logging level will be set to debug
        """

        self.client_id = client_id
        self.client_secret = client_secret
        self.scope = scope
        self.grant_type = "client_credentials"
        self.access_token = None
        self.debug = debug
        self.logger = logging.getLogger("microsofttranslator")
        self.session = None
        self.langs = []
        if self.debug:
            self.logger.setLevel(level=logging.DEBUG)

    def create_session(self):
        "create a requests session"
        self.session = requests.session()

    def get_access_token(self, force=None):
        """
        .. note::
            The value of access token can be used for subsequent calls to the
            Microsoft Translator API. The access token expires after 10
            minutes. It is always better to check elapsed time between time at
            which token issued and current time. If elapsed time exceeds 10
            minute time period renew access token by following obtaining
            access token procedure.

        :return: The access token to be used with subsequent requests
        """
        args = urllib.urlencode({
            'client_id': self.client_id,
            'client_secret': self.client_secret,
            'scope': self.scope,
            'grant_type': self.grant_type
        })

        if not self.session or force:
            self.create_session()

        response = json.loads(self.session.post(
            self.oauth_url,
            data=args
        ).content)
        self.access_token = response['access_token']
        return self.access_token

    def call(self, url, params):
        """Calls the given url with the params urlencoded
        """
        if not self.access_token:
            self.get_access_token()

        if not self.session:
            self.create_session()

        headers = {'Authorization': 'Bearer %s' % self.access_token}
        translation_url = '%s?%s' % (url, urllib.urlencode(params))
        response = self.session.get(translation_url, headers=headers)
        retval = json.loads(response.content.decode("UTF-8-sig"))

        if isinstance(retval, basestring) and \
                retval.startswith("ArgumentOutOfRangeException"):
            raise ArgumentOutOfRangeException(retval)

        if isinstance(retval, basestring) and \
                retval.startswith("TranslateApiException"):
            raise TranslateApiException(retval)

        if isinstance(retval, basestring) and \
                retval.startswith("ArgumentException"):
            self.access_token = None
            raise ArgumentException(retval)

        return retval

    def languages(self):
        """Check languages supported"""
        if not self.session:
            self.create_session()

        if not self.langs:
            self.langs = self.call(self.lang_url, {})
        return self.langs

    def translate(self, text, to_lang, from_lang=None,
            content_type='text/plain'):
        """Translates a text string from one language to another.

        :param text: A string representing the text to translate.
        :param to_lang: A string representing the language code to
            translate the text into.
        :param from_lang: A string representing the language code of the
            translation text. If left None the response will include the
            result of language auto-detection. (Default: None)
        :param content_type: The format of the text being translated.
            The supported formats are "text/plain" and "text/html". Any HTML
            needs to be well-formed.
        """
        params = {
            'text': text.encode('utf8'),
            'to': to_lang,
            'contentType': content_type,
            'category': 'general',
            }
        if from_lang is not None:
            params['from'] = from_lang
        return self.call(self.translate_url, params)

    def translate_array(self, texts, to_lang, from_lang=None, **options):
        """Translates an array of text strings from one language to another.

        :param texts: A list containing texts for translation.
        :param to_lang: A string representing the language code to 
            translate the text into.
        :param from_lang: A string representing the language code of the 
            translation text. If left None the response will include the 
            result of language auto-detection. (Default: None)
        :param options: A TranslateOptions element containing the values below. 
            They are all optional and default to the most common settings.

                Category: A string containing the category (domain) of the 
                    translation. Defaults to "general".
                ContentType: The format of the text being translated. The 
                    supported formats are "text/plain" and "text/html". Any 
                    HTML needs to be well-formed.
                Uri: A string containing the content location of this 
                    translation.
                User: A string used to track the originator of the submission.
                State: User state to help correlate request and response. The 
                    same contents will be returned in the response.
        """
        options = {
            'Category': "general",
            'Contenttype': "text/plain",
            'Uri': '',
            'User': 'default',
            'State': ''
            }.update(options)
        params = {
            'texts': json.dumps(texts),
            'to': to_lang,
            'options': json.dumps(options),
            }
        if from_lang is not None:
            params['from'] = from_lang

        return self.call(self.translate_array_url, params)

def format_date():
    "Return a date string in required format"
    return time.strftime("%Y-%m-%d %R+0200", time.strptime(time.ctime()))

def first_pass(items, thestring):
    "replace %(xxx)s vars"
    for item in items:
        thestring = thestring.replace(item, '|^^|', 1)
    return thestring

def second_pass(items, thestring):
    "replace %s with actual %(xxx)s"
    for item in items:
        thestring = thestring\
                    .replace('|^^|', item, 1)\
                    .replace('| ^ ^ |', item, 1)
    return thestring

def getpofs(matched, dirname, files):
    "utility to get po files"
    matched.extend([os.path.join(dirname, filename)
                    for filename in files
                    if filename.endswith('.po')])

def get_lang(dirname):
    "Get the language from directory name"
    return os.path.basename(
                os.path.dirname(
                    os.path.dirname(dirname)
                )
            )

def process(translator, raw_entry, language, sentry, regex):
    "Process and Translate the string"
    languages_bidi = ["he", "ar", "fa", "yi"]
    found = regex.findall(raw_entry)
    if found:
        if language in languages_bidi:
            return None
        raw_entry = first_pass(found, raw_entry)
    if datetime.datetime.now() >= sentry:
        print "Renewing token"
        translator.get_access_token(True)
        sentry = (datetime.datetime.now() +
                datetime.timedelta(minutes=8))
    new_entry = translator.translate(raw_entry, language)
    if found:
        new_entry = second_pass(found, new_entry)
    return new_entry

def createps(filename, client_id, api_key, meta, default_lang):
    "update po file"
    do_save = False
    trans = Translator(client_id, api_key)
    print "Processing: %s" % filename
    pobj = pofile(filename)
    lang = get_lang(filename)

    if (not lang in trans.languages() or lang == default_lang) and lang != 'zh':
        print "Language: %s not supported by API" % lang
        return

    try:
        match_re = re.compile(r'((?:%\([^\W]{1,}\)(?:s|d))|(?:{{\w+}}))')
        sentry = datetime.datetime.now() + datetime.timedelta(minutes=8)
        if lang == 'zh':
            lang = 'zh-CHS'
        for entry in pobj.untranslated_entries():
            try:
                msgstr = process(trans, entry.msgid, lang, sentry, match_re)
                if entry.msgid_plural:
                    if msgstr:
                        entry.msgstr_plural['0'] = msgstr
                    msgstr_plural = process(trans, entry.msgid_plural,
                                            lang, sentry, match_re)
                    if msgstr_plural:
                        entry.msgstr_plural['1'] = msgstr_plural
                else:
                    if msgstr:
                        entry.msgstr = msgstr
                do_save = True
            except (TranslateApiException, ArgumentOutOfRangeException), ermsg:
                print 'Error occured: %s' % str(ermsg)

        if do_save:
            pobj.metadata.update(meta)
            pobj.metadata['PO-Revision-Date'] = format_date()
            pobj.save(filename)
    except ArgumentException, errstr:
        print "Access Error: %s" % str(errstr)

if __name__ == '__main__':
    # Run tings mon

    CLIENT_ID = 'xxxxx'
    API_KEY = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

    metadata = {
        'Report-Msgid-Bugs-To': 'baruwa@lists.baruwa.org',
        'Last-Translator': 'Andrew Colin Kissa <andrew@topdog.za.net>',
        'Generated-By': 'auto-translate.py 0.0.1',
        'Language-Team': 'Baruwa Project',
    }

    usage = "usage: %prog directory"
    parser = OptionParser(usage)
    parser.add_option('-s', '--source', dest="source_lang", default="en")
    opts, arguments = parser.parse_args()

    if len(arguments) != 1:
        parser.error("Please specify the directory to process")

    directory = arguments[0]

    if not os.path.exists(directory):
        parser.error("Directory: %s does not exist" % directory)

    try:        
        pofiles = []
        os.path.walk(directory, getpofs, pofiles)
        _ = [createps(path, CLIENT_ID, API_KEY, metadata, opts.source_lang)
            for path in pofiles]
    except KeyboardInterrupt:
        print "\nCTRL-C pressed, exiting"

Usage

You need to obtain an access token from the Azure Marketplace instructions can be found here

Set the CLIENT_ID and API_KEY variables in the script to the values you obtain from Azure DataMarket.

Then point the script to the directory containing the PO files you want to translate and let it do its thing.

/auto-translate.py <directory>

Download

You can download the script from github

]]> Boot into single user mode on various unixes http://www.topdog.za.net/2013/01/24/boot-into-single-user-mode-on-various-unixes Thu, 24 Jan 2013 07:40:00 SAST http://www.topdog.za.net/2013/01/24/boot-into-single-user-mode-on-various-unixes Boot into single user mode on various unixes Linux/Grub

Press a to append to the boot options then add single

grub append> ro root=LABEL=/ single

Solaris/OpenBoot PROM

Press L1+a or STOP+a to enter OpenBoot PROM then type

boot -s

AIX

Select maintanance mode from the boot menu or type telinit S on a running machine

HP-UX

Interrupt the boot process when prompted and at the prompt type boot pri isl to get the ISL prompt that allows you to boot into single user mode. At the ISL prompt type

ISL> prompt: hpux -iS /stand/vmunix
]]> How to update man keywords database http://www.topdog.za.net/2013/01/16/how-to-update-man-keywords-database Wed, 16 Jan 2013 07:40:00 SAST http://www.topdog.za.net/2013/01/16/how-to-update-man-keywords-database How to update man keywords database Man keywords database allow you to search for man pages using keywords, the database needs to be updated when ever man pages are added or removed.

This is how you do it for various *nix types.

Debian/Ubuntu/SUSE

mandb

RHEL/CENTOS/SL/Fedora

makewhatis

AIX/Solaris/HP-UX

catman -w
]]> Strongswan now supports PAM authentication http://www.topdog.za.net/2012/11/07/strongswan-now-supports-pam-authentication Wed, 07 Nov 2012 07:40:00 SAST http://www.topdog.za.net/2012/11/07/strongswan-now-supports-pam-authentication Strongswan now supports PAM authentication Strongswan release 5.0.1 includes a XAuth PAM plugin which requests username/password XAuth credentials and verifies them against Pluggable Authentication Modules (PAM).

This plugin is not enabled by default to enable it you need to add the following to your ./configure options

--enable-xauth-pam

You do require the pam development headers and libraries on your build machine to successfully compile.

System Configuration

The plugin is configurable in the strongswan.conf file, you are able to change the pam service that is used for authentication.

By default the login pam service is used for authentication.

I will create a new service called ipsec for demonstration.

charon {
    plugins{
        xauth-pam {
            pam_service = ipsec
        }
    }
}

The pam service configuration file is as follows.

#%PAM-1.0
# /etc/pam.d/ipsec
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Now to use PAM authentication in your connections you set for XAuth:

rightauth2=xauth-pam

Hybrid Authentication:

rightauth=xauth-pam

You are good to go and should be able to use any pam module to authenticate your users to your VPN. The options are endless: SQL, LDAP, RADIUS, LOCAL etc.

Related articles

]]> Strongswan now supports Cisco unity extensions http://www.topdog.za.net/2012/11/07/strongswan-now-supports-cisco-unity-extensions Wed, 07 Nov 2012 07:40:00 SAST http://www.topdog.za.net/2012/11/07/strongswan-now-supports-cisco-unity-extensions Strongswan now supports Cisco unity extensions I previously wrote about setting up split tunneling on Strongswan using the attr-sql plugin

With the release of Strongswan 5.0.1 it is no longer the only way to support split tunneling.

Strongswan 5.0.1 introduces the unity plugin which allows for the configuration of split tunneling either using a charon option or using the attr plugin which is enabled by default.

The unity plugin is not enabled by default to enable it you need to add the following to your ./configure options

--enable-unity

Charon option

To enable this option you need to edit the strongswan.conf file and set

charon {
    # ... other options
    cisco_unity = yes
    #...
}

As a client strongswan will install policies only for the received Split-Include attributes and IPsec bypass policies for received Local-LAN attributes.

As a server strongswan will send Split-Include attributes for leftsubnet definitions containing multiple subnets to clients that support the IKEv1 Cisco Unity Extensions.

Attr plugin option

It is also possible to configure split tunneling using the attr plugin. Two new options have been added:

  • split-include - Comma-separated list of subnets to tunnel
  • split-exclude - Comma-separated list of subnets not to tunnel
charon {
    # ... other options
    split-include = 192.168.1.0/24, 172.16.0.0/16
    split-exclude = 10.128.0.0/16
    #...
}

Related articles

]]> Mac OSX IPSEC VPN via command line using builtin Racoon client http://www.topdog.za.net/2012/09/19/mac-osx-ipsec-vpn-via-command-line-using-builtin-racoon-client Wed, 19 Sep 2012 07:30:00 SAST http://www.topdog.za.net/2012/09/19/mac-osx-ipsec-vpn-via-command-line-using-builtin-racoon-client Mac OSX IPSEC VPN via command line using builtin Racoon client Introduction

The Mac OSX IPSEC VPN client setup via "System preferences" only supports IPSEC/XAUTH and IPSEC/L2TP both of which give you a different IP address for your tunnel interface. System preferences on the backend uses Racoon so it is possible via the command line to setup a pure IPSEC connection.

In my previous post i described how to configure a Strongswan server for use with Mac OSX, Ipad, Iphone clients. For the sake of brevity i will not repeat that in this post.

This scenario assumes you are connected to a lan 10.128.1.0/24 and your IP address is 10.128.1.2 and you are connecting to a remote network 192.168.1.0/24 protected by an IPSEC VPN running Strongswan on a gateway with a dynamic address being resolved via dynamic DNS. IPSEC Authentication is done using Certificates.

Configuration

Client configuration.

Edit /etc/racoon/racoon.conf and add the following to the bottom.

include "/opt/local/etc/cmdline-ipsec.conf" ;

Create a configuration template file /opt/local/etc/cmdline-ipsec.conf.tmpl. I am using a template because the remote side has a dynamic ip address and racoon does not support DNS names only IP addresses, a custom script resolves the hostname and then generates an updated racoon configuration from this template file with the resolved IP address.

remote %SERVERIP% {
        exchange_mode main;
        ca_type x509 "/opt/local/etc/pki/cacert.pem";
        certificate_type x509 "/opt/local/etc/pki/example.pem" "/opt/local/etc/pki/example.key.pem";
        proposal_check obey;
        mode_cfg off;
        dpd_delay 360;
        nat_traversal on;
        my_identifier asn1dn;
        ike_frag on;
        script "/opt/local/bin/phase1-up.sh" phase1_up;
        script "/opt/local/bin/phase1-down.sh" phase1_down;
        lifetime time 24 hour;
        passive off;
        proposal {
                encryption_algorithm aes256;
                hash_algorithm sha512;
                authentication_method rsasig;
                dh_group 2;
       }
}

sainfo anonymous {
        lifetime time 24 hour;
        pfs_group modp2048;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1, hmac_sha256, hmac_sha512;
        compression_algorithm deflate ;
}

Create the phase1 up script /opt/local/bin/phase1-up.sh

#!/bin/sh

#
# sa-up.sh local configuration for a new SA
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/local/bin:/opt/local/sbin
MYIP=10.128.1.2
PROTECTEDNET=192.168.1.0/24

echo $@
echo "LOCAL_ADDR = ${LOCAL_ADDR}"
echo "LOCAL_PORT = ${LOCAL_PORT}"
echo "REMOTE_ADDR = ${REMOTE_ADDR}"
echo "REMOTE_PORT = ${REMOTE_PORT}"

LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"

echo "
spdadd ${MYIP}/32[any] ${PROTECTEDNET}[any] any
       -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd ${PROTECTEDNET} ${MYIP}[any] any
       -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c

Create the phase1 down script /opt/local/bin/phase1-down.sh

#!/bin/sh

#
# sa-down.sh local remove SA
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
MYIP=10.128.1.2
PROTECTEDNET=192.168.1.0/24

echo $@
echo "LOCAL_ADDR = ${LOCAL_ADDR}"
echo "LOCAL_PORT = ${LOCAL_PORT}"
echo "REMOTE_ADDR = ${REMOTE_ADDR}"
echo "REMOTE_PORT = ${REMOTE_PORT}"

LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"

echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; 
spddelete ${MYIP}/32[any] ${PROTECTEDNET}[any] any
        -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
spddelete ${PROTECTEDNET}[any] ${MYIP}[any] any
        -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
" | setkey -c

Create the custom start script /opt/local/sbin/start-vpn

#!/bin/bash
#
#
SERVERNAME="strongswan-example.dyndns.org"
SERVERIP=$(host $SERVERNAME|awk '{print $4}')
status=$(racoonctl show-sa isakmp|wc -l|awk '{print $1}')
if [ "$status" != "2" ]; then
   echo "Not connected, starting conn"
   sed -e "s:%SERVERIP%:${SERVERIP}:" \
   /opt/local/etc/cmdline-ipsec.conf.tmpl > /opt/local/etc/cmdline-ipsec.conf
   racoonctl reload-config
   racoonctl vpn-connect $SERVERIP
else
   racoonctl show-sa isakmp
   echo "Already connect, exiting"
fi

Make the script executable

chmod +x /opt/local/sbin/start-vpn

Server configuration

Update the ipsec.conf configuration from my previous post to add the following conn

conn rw
        leftcert=vpn.example.org.pem
        leftid=@vpn.example.org
        leftfirewall=yes
        right=%any
        rightsubnet=0.0.0.0/0
        rekey=yes

Testing

Open a command prompt and run the command, as root or using sudo.

start-vpn

You should be able to connect to hosts on the protected network (192.168.1.0/24)

To stop the connection run the command.

racoonctl vpn-disconnect strongswan-example.dyndns.org

Related articles

]]>