OpenBSD
ClamAV: Project
by Brian on May.19, 2005, under Mac OSX, OpenBSD, Windows Info
ClamAV: Project
Clam is a *very* excellent Open Source antivirus solution. It integrates nicely with most mail servers,
and runs very well on my OpenBSD boxes.
Note: There’s also a Windows version of this awesome freeware available. Get yours at http://www.clamwin.com
Windows XP to OpenBSD VPN Configuration
by Brian on May.13, 2005, under Networking, OpenBSD, Windows Info
Re: OpenBSD VPN
From: Peter Grießl (griesslihs.ac.at)
Date: Thu Feb 17 2005 – 02:29:22 CST
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
——————————————————————————–
Mark Maxey wrote:
>
> My incoming hosts will be a mixture of Windows XP/2000 and Linux
> clients, but knowledgeable users. Preferably this solution would be
> able to use a free client or use the ipsec/vpn capabilities built into
> MS windows.
>
Hi Mark,
use IPsec – Windows 2000/XP has builtin support for IPsec, no need for any
extra client software.
The only magic is the configuration; in theory one can configure IPsec
using clicksy graphical interfaces (Management Console …), practically
you cannot. But tunnel setup is perfectly possible using a simple
batch file and the MS tools ipsecpol.exe (W2k) or ipseccmd.exe (XP).
for certificates, we use http://www.klake.org/~jt/mkca
The clients only need to install the *.p12 certificate file (double-click
installation does not work, you have to go through MMC – Certificate SnapIn
– right-click Personal – All Tasks – Import – Wizard – browse to the *.p12
file – password – change the certificate store to “Automatically select
the certificate store based on the type of certificate” – next – complete –
finish
XPSP2: start testing with firewall disabled (note: tunnel works ok with
firewall enabled, only problems using icmp – XPSP2-bug)
Personal Firewalls (Norton, McAfee): some work together with IPsec, some
don’t (some have to be completely deinstalled to make IPsec work, disabling
does not help)
Users must have administrative rights to set up the IPsec-tunnel on 2000/XP.
So, here are the batchfiles we use:
START_VPN.BAT (call with Samba-username and Samba-password as arguments)
————-
echo off
set VPNPATH=c:ihsvpn
title please wait …
rem we have two ipsec gateways, one batchfile
set WLANGW=143.130.40.1
set DMZGW=143.130.36.2
set USER=%1
set PASS=%2
rem 2000 or XP ?
ver | findstr 2000
if not errorlevel 1 goto 2000
ver | findstr XP
if not errorlevel 1 goto XP
goto OUT
:2000
set TOOL=ipsecpol
goto OSOK
:XP
set TOOL=ipseccmd
:OSOK
rem disable and delete old ipsec policy (sometimes required,
rem user did not call stop_vpn.bat last time)
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
rem Which gateway is accessible?
ping -n 3 %WLANGW% | find “TTL” > NUL
if not errorlevel 1 goto WLAN
ping -n 3 %DMZGW% | find “TTL” > NUL
if not errorlevel 1 goto DMZ
goto EXIT
:WLAN
set IPSECGW=%WLANGW%
goto DOIT
:DMZ
set IPSECGW=%DMZGW%
:DOIT
REM all traffic to our net should go through the ipsec tunnel
set ROUTE=143.130.32.0/255.255.240.0
REM find client’s ip address
set ipaddr=
for /F “tokens=2 delims=:” %%f in (‘ipconfig ^| findstr dress’) do set
ipaddr=%%f
if “%ipaddr%”==”” goto EXIT
REM trim space
set ipaddr=%ipaddr:~1%
REM DHCP-server?
set dhcp=
for /F “tokens=2 delims=:” %%f in (‘ipconfig /all ^| findstr /C:”DHCP
Server”‘) do set dhcp=%%f
REM trim space
set dhcp=%dhcp:~1%
REM create IPSEC policy and activate tunnel
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -t %ipsecgw% -f 0=%ROUTE% -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -t %ipaddr% -f %ROUTE%=0 -n
ESP[SHA,3DES]P -a CERT:”C=AT, S=Austria, L=Vienna, O=Institute for Advanced
Studies, OU=IHS, CN=Institute for Advanced Studies”
if %dhcp%==~1 goto activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -t %ipsecgw% -f
0:68=%dhcp%:67:UDP -n PASS
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -t %ipaddr% -f
%dhcp%:67=0:68:UDP -n PASS
:activate
%VPNPATH%%TOOL% -w REG -p IHSVPN -x
REM negotiate and check IPSEC
rem ping the samba server to setup and check the ipsec tunnel
ping -n 4 143.130.45.10 < ======= doesn't work with
XPSP2 FW enabled
nbtstat -A 143.130.45.10
ping -n 2 143.130.45.10 | find "TTL" <======= ................
if not errorlevel 1 goto MOUNT
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
goto EXIT
REM mount network drives (if you need this)
:MOUNT
rem mount your samba shares (net use .... %USER% %PASS%)
goto OUT
:EXIT
echo Something went wrong, sorry!
:OUT
exit
STOP_VPN.BAT
------------
echo off
set VPNPATH=c:ihsvpn
title please wait ...
rem unmount samba shares
rem net use .... /d
rem 2000 or XP ?
ver | findstr 2000
if not errorlevel 1 goto 2000
ver | findstr XP
if not errorlevel 1 goto XP
goto EXIT
:2000
set TOOL=ipsecpol
goto OSOK
:XP
set TOOL=ipseccmd
:OSOK
rem disable and delete ipsec policy
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2LAN -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r LAN2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r NB2DHCP -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -r DHCP2NB -y
%VPNPATH%%TOOL% -w REG -p IHSVPN -o
:EXIT
exit
here are the OpenBSDs (3.6) config files:
/etc/isakmpd/isakmpd.conf
# --- Global options
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 143.130.40.1
Shared-SADB= Defined
Renegotiate-on-HUP= Defined
# --- X.509 certificate locations
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
# --- IKE Phase 1 & 2
[Phase 1]
Default= Client-phase1
[Phase 2]
Passive-Connections= Client-phase2
[Client-phase1]
Phase= 1
Transport= udp
Local-address= 143.130.40.1
Configuration= Default-main-mode
ID= My-ID
[My-ID]
ID-type= FQDN
Name= ipsecgw.ihs.ac.at
[Client-phase2]
Phase= 2
ISAKMP-peer= Client-phase1
Local-ID= All-networks
Remote-ID= Unknown-address
# --- Network details
[All-networks]
ID-Type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Unknown-address]
ID-Type= IPV4_ADDR
Address= 0.0.0.0
# --- Main and quick mode transforms
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= Phase1-Lifetime
[Phase1-Lifetime]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,60:86400
/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "DN:/C=AT/ST=Austria/L=Vienna/O=Institute for Advanced
Studies/OU=IHS/CN=Institute for Advanced Studies"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
remote_id_type == "ASN1 DN" &&
esp_enc_alg != "null" -> “true”;
Hope that helps!
Greetings from cold Vienna,
Peter Griessl, griesslihs.ac.at