Strongswan-swanctl introduces the new configuration format for IPsec on Debian Bookworm. Unfortunately the configuration is more convoluted. Start by installing charon-systemd, which will bring in the required packages: sudo apt install charon-systemd Key component packages: Example road-warrior config shown below, using IKEv2 with a certificate to authenticate the server and a user ID and password … Continue reading IPsec on Debian Bookworm with Swanctl
Category Archives: Networking
Draytek IPsec VPN errors
The following errors occur on a Draytek IPsec if the VPN name has been modified: ISAKMP Identification Payload has an unknown value … … ISAKMP payload must be zero … … smalformed payload: probable authentication (preshared secret) failure … Matching General Setup key for dynamic ip client … To fix the problem it is necessary … Continue reading Draytek IPsec VPN errors
Practical IPsec VPN Information
IPsec (common for IKEv1 and IKEv2): IKEv1: AH vs ESP: Perfect Forward Security (PFS): Dead-Peer Detection (DPD): Aggressive vs. Main: IKEv2 enhancements: Xauth: L2TP/IPsec:
L2TP/IPsec VPN with PSK on Windows 10 connecting to RRAS
When trying to connect a Windows 10 client to Server 2019 Routing and Remote Access L2TP/IPsec tunnel two important settings are required on the client that aren’t commonly documented:
Remapping file names with TFTP-HPA for buggy PXE clients
Some PXE clients send extraneous garbage characters in TFTP requests for files, e.g. “RRQ from … filename pxelinux.biny#012;o#036”instead of just “pxelinux.bin”. This is logged in the syslog. To work around this we can use a feature of tftp-hpa to remap file names, based on a rewrite regex: /etc/default/tftp-hpa: TFTP_OPTIONS=”–secure –verbose -v -m /etc/tftpd.map” /etc/tftpd.map: r … Continue reading Remapping file names with TFTP-HPA for buggy PXE clients
PXE Booting Guide
Configure DHCP ServerConfiguration below is for isc-dhcp-server on Linux: # For hardware LAN Boot ROMs:option tftp-server-address 192.168.1.200;filename “pxelinux.0”;# For HyperV Guests:# option 60 = client identifieroption dhcp-client-identifier “PXEClient”;# option 66 = TFTP server nameoption tftp-server-name “192.168.1.200”;# option 67 = Bootfile nameoption bootfile-name “pxelinux.0”; 2. Configure TFTP ServerOn Linux, tftp-hpa is recommended, with a directory structure … Continue reading PXE Booting Guide
OXO Connect with Mikrotik RouterOS
Mikrotik RouterOS based routers can be used as VPN endpoints to provide remote support for Alcatel-Lucent PABX’s. This includes the virtual device images (Cloud Hosted Router), so a dedicated virtual machine can be implemented to provide the VPN responder. At the time of writing this post, Mikrotik does not support EAP on the responding end, … Continue reading OXO Connect with Mikrotik RouterOS
OXO Connect to Linux with Strongswan
Strongswan is a IPsec provider for Linux. It can be used to provide a responder endpoint for connection to phone systems using OXO Connect. Below are the key settings that have been tested to work with a OXO Connect PSK-PSK profile, using Debian Linux: /etc/ipsec.conf: conn ike2psk-clientA auto=add keyexchange=ikev2 ike=aes256-sha2_256-modp2048! # modify to match esp=aes256-sha2_256-modp2048! … Continue reading OXO Connect to Linux with Strongswan
Configure Geo-blocking with Apache on Debian
To enable Geo-IP Blocking on Debian 9 Stretch, assuming you already have a running Apache web server: apt install libmaxminddb0 libmaxminddb-dev apt install apache2-dev Download and extract the latest MaxMind Apache mod version from: https://github.com/maxmind/mod_maxminddb/releases Follow the instructions to configure and install from the source code Download and install the GeoIP Update program to automate … Continue reading Configure Geo-blocking with Apache on Debian
OpenVPN on MikroTik Router
The steps below show how to configure OpenVPN connections to a MikroTik router. Note that at the time of writing MikroTik’s RouterOS only supports TCP connections to OpenVPN, not UDP. Before proceeding, a Certificate Authority should be available to manage certificates – see our previous post for using the MikroTik for this. Configure the IP … Continue reading OpenVPN on MikroTik Router