IPSec, x509, iptables, SELinux

Here are some useful resources:

How Packets Traverse Linux 2.4 Kernels

SELinux

selinux-usr CVS (SourceForge)
SELinux FC3 FAQ
Gentoo SELinux kernel options (lists necessary kernel options)

iptables

iptables HowTo

IPSec

ipsec-tools on SourceForge
Linux Kernel 2.6 using KAME-tools (lists necessary kernel options)
Automatic Keying
This is the secret Racoon error message decoder ring.
ONLamp.com: Cryptosystems: Debugging IPSec

Takeaway message: psk.txt is a sensitive little feller. Even if you think it’s setup perfectly, change the password again. I’ll bet it’ll work.

If you’re gonna use IPSec, save yourself a lot of hassle and just use x509 certs, like this part of the IPSec HowTo describes.

A troubleshooting tip: before you try IPSec with your newly installed certs, use OpenSSL to test that they are located correctly. For example,

[root@machine /usr/local/etc]# openssl verify -CAfile my_ca_cert.pem machine_cert.pem

If that works, then give IPSec a try.

Proxy ARP
Proxy ARP with Linux
Setting up Proxy ARP with subnetting

Originally I was interested in proxy ARP because I wanted to configure a machine running the Xen hypervisor to use proxy ARP to enable non-privileged domains to appear to be directly on the network. The 2.6 kernels (and perhaps even earlier ones, I don’t know) automatically manage the proper proxy arp settings for the virtual interfaces when you use ip route to make the necessary routing table entries. To enable proxy arp on the real interface (e.g., eth0), add the following line to /etc/xen/scripts/network-route:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s