[gentoo-user] Which IPSEC to go?
Hi, since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. Any input welcome. I need this for a road warrior setup. Regards, Konstantin -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elw...@agouros.de Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres
[gentoo-user] Openswans IPSEC starting before net
Hi, I installed openswan recently to connect to my IPCOP based router via VPN over an Netgear WPN311 WLAN card. According to some documentation I found I added also ipsec-tools though it seems that this is not necessary (setup of different PC without them and everything works fine). The problem now is that the IPSEC service is started before NET service is up and running. That way IPSEC does not setup the VPN tunnel to the router. I always need to perform the IPSEC startup by hand (or in rc.local). As I stated above setting up a PC without ipsec-tools packakge installed leads to correct behaviour (IPSEC started after NET). 1. Has anybody seen this before ? Is there a way to alter the startup order ? 2. How can I debug the decision process which determines the startup order of the services ? I already checked /var/lib/init.d/deptree. But from that file everything seems to be alright (NET is precondition to run IPSEC). BR Thomas -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Which IPSEC to go?
On 1/24/2010 1:38 PM, Konstantinos Agouros wrote: Hi, since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. Any input welcome. I need this for a road warrior setup. Use Openvpn. Way simpler, has a client for all the major OSs, and most importantly isn't based on annoying ipsec. You can use Openvpn between servers as well to setup tunnels. kashani
Re: [gentoo-user] Which IPSEC to go?
kashani wrote: On 1/24/2010 1:38 PM, Konstantinos Agouros wrote: Hi, since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. Any input welcome. I need this for a road warrior setup. Use Openvpn. Way simpler, has a client for all the major OSs, and most importantly isn't based on annoying ipsec. You can use Openvpn between servers as well to setup tunnels. kashani FWIW: I tried installing openvpn client on windows-7 ~a month ago and failed. So, I'm not sure its win7 compatible. Amit
[gentoo-user] Traffic Intensive IPSec Tunnel
Hello Everyone, Our service provider requires all connections between us be done through IPSec IKE. From the little bit of research, I found that this is achieved using a system with IPSec kernel modules enabled, along with cryptography modules. On the application level, I saw ipsec tool, OpenSWAN, and OpenVPN. What I was wondering is which should be used for traffic intensive connections in a deployment environment. Without starting any OpenVPN vs OpenSwan debate, we would really like to keep the application level to a minimum. Meaning if we could achieve the tunnel using the required kernel modules, ipsec-tools and iptables, we see that as keeping it simple and effective. Your insight, suggested how-to pages are greatly appreciated. Thanks in Advance, Nick.
Re: [gentoo-user] Traffic Intensive IPSec Tunnel
On 05/11/2013 03:13 PM, Nick Khamis wrote: Hello Everyone, Our service provider requires all connections between us be done through IPSec IKE. From the little bit of research, I found that this is achieved using a system with IPSec kernel modules enabled, along with cryptography modules. On the application level, I saw ipsec tool, OpenSWAN, and OpenVPN. What I was wondering is which should be used for traffic intensive connections in a deployment environment. Without starting any OpenVPN vs OpenSwan debate, we would really like to keep the application level to a minimum. Meaning if we could achieve the tunnel using the required kernel modules, ipsec-tools and iptables, we see that as keeping it simple and effective. Your insight, suggested how-to pages are greatly appreciated. To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your service provider requires IPSec and IKE, best forget about OpenVPN. http://www.ipsec-howto.org/x304.html Look under Automatic keyed connections using racoon signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Which IPSEC to go?
On 24.01.2010 23:38, Konstantinos Agouros wrote: since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. Any input welcome. I need this for a road warrior setup. Assuming you will want to support windows clients as well, openswan and openvpn are the populer choices. There has been some mention of questionable code quality for openswan so you might want to check if openvpn fits your needs first. Personally, I would stay away from kame/racoon. -- Eray
Re: [gentoo-user] Which IPSEC to go?
In 4b612f2e.1070...@badapple.net kashani-l...@badapple.net (kashani) writes: On 1/24/2010 1:38 PM, Konstantinos Agouros wrote: Hi, since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. Any input welcome. I need this for a road warrior setup. Use Openvpn. Way simpler, has a client for all the major OSs, and most importantly isn't based on annoying ipsec. You can use Openvpn between servers as well to setup tunnels. Well I already use openvpn but I have a device that only allows for IPSEC and does not run openvpn. Otherwise I would not go that way kashani -- Dipl-Inf. Konstantin Agouros aka Elwood Blues. Internet: elw...@agouros.de Altersheimerstr. 1, 81545 Muenchen, Germany. Tel +49 89 69370185 Captain, this ship will not survive the forming of the cosmos. B'Elana Torres
Re: [gentoo-user] Which IPSEC to go?
On Sunday 24 January 2010 21:38:23 Konstantinos Agouros wrote: Hi, since I am a while out of the game of doing ipsec with Linux: What's the way to go? Strongswan/Openswan or ipsec-tools for kame/racoon. Openswan is simpler to configure, although I have not tried it yet. I have however tried to establish a racoon based VPN connection to a router and after I wasted an awful lot of time I gave up. :-( I think my problem was that I hadn't set up sysctl (amidst other things) to forward connections correctly. Either way I found the whole IPSec/Racoon experience ridiculously complicated compared to say, ssh. Emerge -p gave me some ~ for ipsec-tools while openswan goes without. IPSec-tools will fail to compile lately. To overcome this you need to emerge ~ARCH linux-headers and then emerge ipsec-tools (there's a bug about it). You can downgrade linux-headers after you emerge ipsec-tools. Any input welcome. I need this for a road warrior setup. Well, if you need VPN, you need VPN. Personally, I would try to setup a ssh tunnel (using the -D flag) or another SOCKS5 proxy of some sort at home for this purpose and play with mtu sizes to get it to work without fragmentation. If you use ssh I would recommend using public keys and remove passwd authentication. However, if you succeed in setting up a VPN connection for road warrior usage please write a HOWTO! I will happily try it to see if it will work with my router. ;-) -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ipsec-tools-0.7.3 fails to build
On Saturday 07 November 2009 18:30:16 Daniel Pielmeier wrote: Mick schrieb am 07.11.2009 18:10: Like so: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o session.c mv -f .deps/session.Tpo .deps/session.Po i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT isakmp.o -MD -MP -MF .deps/isakmp.Tpo -c -o isakmp.o isakmp.c In file included from ../../src/include- glibc/linux/byteorder/little_endian.h:12, from /usr/include/asm/byteorder.h:79, from ../../src/include-glibc/linux/ip.h:20, from isakmp.c:115: ../../src/include-glibc/linux/swab.h:6:22: error: asm/swab.h: No such file or directory make[4]: *** [isakmp.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3' make: *** [all] Error 2 * * ERROR: net-firewall/ipsec-tools-0.7.3 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 4014: Called die * The specific snippet of code: * emake -j1 || die * The die message: * (no error message) Has anyone managed to build it? Take a look at this bug: http://bugs.gentoo.org/264233 Thanks Daniel, I found this after I posted and remembered that I had contributed to it ... back then still on version net-firewall/ipsec- tools-0.7.1 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] ipsec-tools-0.7.3 fails to build
Like so: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o session.c mv -f .deps/session.Tpo .deps/session.Po i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT isakmp.o -MD -MP -MF .deps/isakmp.Tpo -c -o isakmp.o isakmp.c In file included from ../../src/include- glibc/linux/byteorder/little_endian.h:12, from /usr/include/asm/byteorder.h:79, from ../../src/include-glibc/linux/ip.h:20, from isakmp.c:115: ../../src/include-glibc/linux/swab.h:6:22: error: asm/swab.h: No such file or directory make[4]: *** [isakmp.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3' make: *** [all] Error 2 * * ERROR: net-firewall/ipsec-tools-0.7.3 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 4014: Called die * The specific snippet of code: * emake -j1 || die * The die message: * (no error message) Has anyone managed to build it? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ipsec-tools-0.7.3 fails to build
On Sat, Nov 7, 2009 at 8:10 PM, Mick michaelkintz...@gmail.com wrote: Like so: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o session.c mv -f .deps/session.Tpo .deps/session.Po i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT isakmp.o -MD -MP -MF .deps/isakmp.Tpo -c -o isakmp.o isakmp.c In file included from ../../src/include- glibc/linux/byteorder/little_endian.h:12, from /usr/include/asm/byteorder.h:79, from ../../src/include-glibc/linux/ip.h:20, from isakmp.c:115: ../../src/include-glibc/linux/swab.h:6:22: error: asm/swab.h: No such file or directory make[4]: *** [isakmp.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3' make: *** [all] Error 2 * * ERROR: net-firewall/ipsec-tools-0.7.3 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 4014: Called die * The specific snippet of code: * emake -j1 || die * The die message: * (no error message) Has anyone managed to build it? -- Regards, Mick Why don't you try to compile it with another version of gcc, selecting another version with 'gcc-config'? May be it'll help?
Re: [gentoo-user] ipsec-tools-0.7.3 fails to build
On Saturday 07 November 2009 17:16:48 alex ponomarev wrote: On Sat, Nov 7, 2009 at 8:10 PM, Mick michaelkintz...@gmail.com wrote: Like so: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o session.c mv -f .deps/session.Tpo .deps/session.Po i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT isakmp.o -MD -MP -MF .deps/isakmp.Tpo -c -o isakmp.o isakmp.c In file included from ../../src/include- glibc/linux/byteorder/little_endian.h:12, from /usr/include/asm/byteorder.h:79, from ../../src/include-glibc/linux/ip.h:20, from isakmp.c:115: ../../src/include-glibc/linux/swab.h:6:22: error: asm/swab.h: No such file or directory make[4]: *** [isakmp.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3' make: *** [all] Error 2 * * ERROR: net-firewall/ipsec-tools-0.7.3 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 4014: Called die * The specific snippet of code: * emake -j1 || die * The die message: * (no error message) Has anyone managed to build it? -- Regards, Mick Why don't you try to compile it with another version of gcc, selecting another version with 'gcc-config'? May be it'll help? Thanks, but I currently only have i686-pc-linux-gnu-4.3.4 on this machine (stable x86). -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ipsec-tools-0.7.3 fails to build
Mick schrieb am 07.11.2009 18:10: Like so: i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT session.o -MD -MP -MF .deps/session.Tpo -c -o session.o session.c mv -f .deps/session.Tpo .deps/session.Po i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec - D_GNU_SOURCE -include ./src/include-glibc/glibc-bugs.h -I./src/include-glibc - I./src/include-glibc -I./../../src/racoon/missing -D_GNU_SOURCE -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc - I../../src/include-glibc -DSYSCONFDIR=\/etc\ - DADMINPORTDIR=\/var/lib/racoon\ -O2 -march=pentium3 -fomit-frame-pointer - msse -mmmx -pipe -Wall -Wno-unused -MT isakmp.o -MD -MP -MF .deps/isakmp.Tpo -c -o isakmp.o isakmp.c In file included from ../../src/include- glibc/linux/byteorder/little_endian.h:12, from /usr/include/asm/byteorder.h:79, from ../../src/include-glibc/linux/ip.h:20, from isakmp.c:115: ../../src/include-glibc/linux/swab.h:6:22: error: asm/swab.h: No such file or directory make[4]: *** [isakmp.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src/racoon' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-firewall/ipsec- tools-0.7.3/work/ipsec-tools-0.7.3' make: *** [all] Error 2 * * ERROR: net-firewall/ipsec-tools-0.7.3 failed. * Call stack: * ebuild.sh, line 49: Called src_compile * environment, line 4014: Called die * The specific snippet of code: * emake -j1 || die * The die message: * (no error message) Has anyone managed to build it? Take a look at this bug: http://bugs.gentoo.org/264233 -- Daniel Pielmeier signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Traffic Intensive IPSec Tunnel
Thanks yet again Michael! Enjoy your weekend. N. On 5/11/13, Michael Mol mike...@gmail.com wrote: On 05/11/2013 03:13 PM, Nick Khamis wrote: Hello Everyone, Our service provider requires all connections between us be done through IPSec IKE. From the little bit of research, I found that this is achieved using a system with IPSec kernel modules enabled, along with cryptography modules. On the application level, I saw ipsec tool, OpenSWAN, and OpenVPN. What I was wondering is which should be used for traffic intensive connections in a deployment environment. Without starting any OpenVPN vs OpenSwan debate, we would really like to keep the application level to a minimum. Meaning if we could achieve the tunnel using the required kernel modules, ipsec-tools and iptables, we see that as keeping it simple and effective. Your insight, suggested how-to pages are greatly appreciated. To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your service provider requires IPSec and IKE, best forget about OpenVPN. http://www.ipsec-howto.org/x304.html Look under Automatic keyed connections using racoon
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, 05 May 2009 17:49:06 +0100 Graham Murray gra...@gmurray.org.uk wrote: Michael Higgins li...@evolone.org writes: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? I do not know about a Gentoo document, I've been working on this for *way* too long, with no apparent success. I have racoon and l2tpt running, but no network addresses in the VPN. Does anyone understand the actual procedure(s) for making a VPN like, l2tp, IPSEC pre-shared secret connection, and wish to elaborate just a bit on the issues (config files, possible values) involved? I mean, the ebuild for ipsec-tools doesn't even put in half the config files... as if any of this could work at all without them? Any help appreciated. :( Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
[gentoo-user] Update problems
Hi all, A few days ago when doing an 'emerge -puD world' i got the message to upgrade to the 2005.0 profile. I changed the link to make.profile to fit the 2005.0 profile but since then I can't seem to update. I'm stuck with the following error: --- Calculating world dependencies | !!! All ebuilds that could satisfy =sys-kernel/linux-headers-2.6 have been masked. !!! One of the following masked packages is required to complete your request: - sys-kernel/linux-headers-2.6.8.1-r2 (masked by: profile) - sys-kernel/linux-headers-2.6.11 (masked by: profile, -* keyword) - sys-kernel/linux-headers-2.6.8.1-r4 (masked by: profile) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 Software Availability in the Gentoo Handbook. !!!(dependency required by net-firewall/ipsec-tools-0.5-r1 [ebuild]) !!! Problem with ebuild net-firewall/ipsec-tools-0.5-r1 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed. --- I've been playing around with the package.keywords file, but that doesn't seem to have the solution :( Maybe unmerging ipsec-tools would help, but i need racoon for the connection to the box :( Does someone know how to fix this? Thanx in advance, -Arjen -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] problem compile ipsec-tools
On 8/11/05, Walter Willis [EMAIL PROTECTED] wrote: the install openswan ok but install ipsec-tools and error: gcc -L../libipsec/.libs -o plainrsa-gen plainrsa-gen.o plog.o vmbuf.o crypto_openssl.o logger.o misc.o -lssl -lcrypto -lresolv -lipsec -lflsha2.o gcc: sha2.o: No such file or directory make[3]: *** [plainrsa-gen] Error 1 make[3]: *** Waiting for unfinished jobs (SNIP) It sounds as if the ebuild is incompatible with the -j make flag. Try exporting MAKEOPTS (IIRC, I'm not at my gentoo box) to an empty string or -j1 (which limits the number of concurrent jobs to one) when merging it: MAKEOPTS=-j1 emerge ipsec-tools Regards, Andreas -- And I hate redundancy, and having different functions for the same thing. - Linus Torvalds on linux-kernel -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Gentoo or Linux from Scratch - Perspectives?
Zac Medico [EMAIL PROTECTED] writes: Are we really far behind? That's difficult to believe. For what packages specifically? Do you know how to unmask unstable packages (marked M or M~ at packages.gentoo.org)? ipsec-tools. The current upstream 'release' is 0.6, and 0.6.1 is at release candidate. The latest in portage is 0.5.2. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Traffic Intensive IPSec Tunnel
On Sunday 12 May 2013 03:37:48 Nick Khamis wrote: Thanks yet again Michael! Enjoy your weekend. N. On 5/11/13, Michael Mol mike...@gmail.com wrote: On 05/11/2013 03:13 PM, Nick Khamis wrote: Hello Everyone, Our service provider requires all connections between us be done through IPSec IKE. From the little bit of research, I found that this is achieved using a system with IPSec kernel modules enabled, along with cryptography modules. On the application level, I saw ipsec tool, OpenSWAN, and OpenVPN. What I was wondering is which should be used for traffic intensive connections in a deployment environment. Without starting any OpenVPN vs OpenSwan debate, we would really like to keep the application level to a minimum. Meaning if we could achieve the tunnel using the required kernel modules, ipsec-tools and iptables, we see that as keeping it simple and effective. Your insight, suggested how-to pages are greatly appreciated. To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your service provider requires IPSec and IKE, best forget about OpenVPN. http://www.ipsec-howto.org/x304.html Look under Automatic keyed connections using racoon If your ISP is using IKEv1 Racoon *should* do what you want, but you may need to set up the routes manually. The up/down scripts in /etc/racoon/scripts do not work in my case and I have to set them up with ifconfig and ip. Apparently they work if you use xauth, according to this thread: http://forums.gentoo.org/viewtopic-p-6977674.html Instead, I opted for using StrongSwan, which is *much* better documented, supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools using a database back end. More importantly it also works with IKEv2 and MOBIKE. With racoon you will have to try racoon2 if you need IKEv2, which was in development back in 2010. You can read a comparison between the *Swans here, but things have moved on since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports part of IKEv2, etc: https://lists.strongswan.org/pipermail/users/2010-September/005293.html Ask if you need particular details in setting up your implementation. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Connecting to VPN
On Tue, Jun 5, 2012 at 9:54 AM, Massimiliano Ziccardi massimiliano.zicca...@gmail.com wrote: Hi all! Are you aware of a software I can use to connect my gentoo PC to an ATT IPSec DualAccess VPN? Thanks in advance, Massimiliano Ziccardi http://www.ibmconnections.org/wordpress/index.php/2009/01/ibm-att-vpn-client-on-linux-ubuntu/ From the sound of it, they have their own VPN client. If you grab their package, you can probably repackage such that it'd work on Gentoo. I know that's how one would [used to] install closed binary packages like Skype. That said, it's possible they're using a combination of existing tools. Given that they're using IPSec, it may be that all you need is racoon. http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server -- :wq
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Monday 11 May 2009, Michael Higgins wrote: On Tue, 05 May 2009 17:49:06 +0100 Graham Murray gra...@gmurray.org.uk wrote: Michael Higgins li...@evolone.org writes: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? I do not know about a Gentoo document, I've been working on this for *way* too long, with no apparent success. I have racoon and l2tpt running, but no network addresses in the VPN. Does anyone understand the actual procedure(s) for making a VPN like, l2tp, IPSEC pre-shared secret connection, and wish to elaborate just a bit on the issues (config files, possible values) involved? I mean, the ebuild for ipsec-tools doesn't even put in half the config files... as if any of this could work at all without them? Any help appreciated. :( Any progress with this guys? I am also trying to get something running between a router and my laptop (using kvnc) but I am failing with this error: = info: Gateway hostname (my.remote_router.com) resolved to XX.XXX.XXX.XX. error: [racoon helper err] /home/michael/.kde3.5/share/apps/kvpnc//setkey.ROUTER.sh: line 6: -f: command not found error: [racoon err] racoon: must be root to invoke this program. = I am not sure that I want to run kvnc as root - after all it is a GUI application ... Worth nothing that unlike the OP my remote router is not running MS l2tp, but IPSec with PSK. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Gentoo or Linux from Scratch - Perspectives?
Graham Murray wrote: Zac Medico [EMAIL PROTECTED] writes: Are we really far behind? That's difficult to believe. For what packages specifically? Do you know how to unmask unstable packages (marked M or M~ at packages.gentoo.org)? ipsec-tools. The current upstream 'release' is 0.6, and 0.6.1 is at release candidate. The latest in portage is 0.5.2. That's unfortunate. I guess none of the gentoo devs happen to be particularly interested in a version bump on that package. Oh well, most of them probably don't get paid for the work they do on gentoo, so who can blame them? Having more developers would help, but there will always be packages suffering from lack of developer interest. Usually with version bumps, you can just copy the existing ebuild into your overlay and rename it (see portage docs for PORDIR_OVERLAY). There is a version bump ebuild for ipsec-tools attached to bug 100692: http://bugs.gentoo.org/show_bug.cgi?id=100692 Zac -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Connecting to VPN
Thank you! I'm giving a look to the links: I'll let you know the results! Best regards, Massimiliano Ziccardi On Tue, Jun 5, 2012 at 4:28 PM, Michael Mol mike...@gmail.com wrote: On Tue, Jun 5, 2012 at 9:54 AM, Massimiliano Ziccardi massimiliano.zicca...@gmail.com wrote: Hi all! Are you aware of a software I can use to connect my gentoo PC to an ATT IPSec DualAccess VPN? Thanks in advance, Massimiliano Ziccardi http://www.ibmconnections.org/wordpress/index.php/2009/01/ibm-att-vpn-client-on-linux-ubuntu/ From the sound of it, they have their own VPN client. If you grab their package, you can probably repackage such that it'd work on Gentoo. I know that's how one would [used to] install closed binary packages like Skype. That said, it's possible they're using a combination of existing tools. Given that they're using IPSec, it may be that all you need is racoon. http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server -- :wq
Re: [gentoo-user] unencrypted network tools
On Thursday 15 December 2005 09:10 pm, Grant wrote: How can I see what is happening as far as traffic on my unencrypted network? tcpdump How can I keep my own http traffic private? Use https instead. IPSec is another option, if supported. Also, traffic is normally only passed along the links between you and the server, unless there's some hub between you can them. You may be able to anonymize normal http by using tor. I think freenet also provides some level of anonymity and encryption for http, but I've never used it. -- Boyd Stephen Smith Jr. [EMAIL PROTECTED] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] GRE link state detection
On Monday 09 Sep 2013 11:12:47 thegeezer wrote: asking the same question on the bird mailing list, was recommended some values to make bird down the GRE tunnels faster. multiple tunnels are required due to the very unreliable internet, so one tunnel goes over one dsl link, another goes over another. DPD timeouts are 30seconds minimum, which is too long. i'll keep you posted if the bird recommendations works better You can tune dpd_delay and dpd_retry in racoon.conf (if you are using ipsec- tools) or the equivalent in open/strongswan. I think strongswan sends keepalives every 20 seconds or so and it can be increased if you prefer it so. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Networkmanager VPNC key timeout
On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: Hello, this is not a Gentoo problem per se, but i'm getting it under Gentoo. Runninng KDE + Networkmanager (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin (net-misc/networkmanager-vpnc-0.9.10.0). I have set up a VPN connection to a AVM FritzBox (which is using - as far as i can evaluate - a Cisco like IPSec tunnel). This is running very well, but after exactly 1 hour the connection is dropped. I can reconnect, but it also lasts 1 hour. After som crawlng though the net it seems that a key validity runs ot of time at the client side. I t looks like this one https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 The nmcli output for this connection reads like this (some obfusicated): cut - === Details des Verbindungsprofils (XX) === connection.id: XX connection.uuid: 11--3 connection.interface-name: -- connection.type:vpn connection.autoconnect: no connection.timestamp: 1425319416 connection.read-only: no connection.permissions: connection.zone: connection.master: -- connection.slave-type: -- connection.secondaries: connection.gateway-ping-timeout:0 --- ipv4.method:auto ipv4.dns: ipv4.dns-search: ipv4.addresses: ipv4.routes: ipv4.ignore-auto-routes:yes ipv4.ignore-auto-dns: no ipv4.dhcp-client-id:-- ipv4.dhcp-send-hostname:yes ipv4.dhcp-hostname: -- ipv4.never-default: yes ipv4.may-fail: no --- ipv6.method:ignore ipv6.dns: ipv6.dns-search: ipv6.addresses: ipv6.routes: ipv6.ignore-auto-routes:no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: 0 (deaktiviert) ipv6.dhcp-hostname: -- --- vpn.service-type: org.freedesktop.NetworkManager.vpnc vpn.user-name: -- vpn.data: Local Port = 0, IKE DH Group = dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID = u...@host.loc, IPSec gateway = open.nsupdate.info, Xauth username = u...@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec secret- flags = 1, NAT Traversal Mode = natt vpn.secrets: cut - Any hints ? regards Petric Going from memory here, but I recall that the VPNC client had problems rekeying SAs in Phase 2. I seem to recall there was bug but can't recall if it was ever patched. Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this includes any necessary patches. You could check the changelog. BTW, have you tried more actively developed VPN software like strongswan (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if you're getting the same problem? I think that they should work with Cisco VPN gateways, although it may be fiddly to set them up. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Proxy server problem
On Saturday 24 Aug 2013 14:23:26 Grant wrote: I set up squid on a remote system so I can browse the internet from that IP address. It works but it stalls frequently. I had similar results with ziproxy. I went over this with the squid list but we got nowhere as it seems to be some kind of a system or network problem. http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-3-5-hangs-the -en tire-system-td4660893.html Can anyone here help me figure out what is wrong? I'm not sure where to start. - Grant Just a quick pointer in case it applies to you: if you tunnel into the proxy machine (using ssh, VPN, proxychains and what not) you would suffer from packet fragmentation, which could quickly snowball. In this case try reducing your mtu to lower values, than the default ethernet 1500 byte packets, to cater for the overhead of the larger tunnelling headers. I've tried disconnecting from my SSH tunnel and changing the mtu on my laptop and on the remote proxy server via ifconfig and there is some kind of an improvement but I can't narrow it down. I've tried mtu down to 1000 on both systems but the proxy server still stalls sometimes. Any tips for narrowing this down further? - Grant Now that you mentioned using ssh, I don't think that you can improve this. An mtu at 1000 bytes is lower than I thought might have helped. The problem is caused by stacking tcp packets (tcp within tcp) each of which is using its own timeout for failed fragments. The problem is explained here (tcp meltdown): http://sites.inka.de/~W1011/devel/tcp-tcp.html and here (useful relevant references to other works are also made): http://publications.lib.chalmers.se/records/fulltext/123799.pdf There are some suggested solutions like increasing buffer size, but I don't know this might work in a real world use case. You can experiment with different buffer sizes as suggested here and see if it makes a difference: http://www.cyberciti.biz/faq/linux-tcp-tuning/ If the interruptions are not acceptable to you, you could consider using a different tunnel method. A network layer VPN, like IPSec (you can use StrongSwan which also offers IKEv2 and MOBIKE for your laptop, or ipsec-tools with racoon for IKEv1 only) should work without such problems. You will be tunnelling tcp in udp packets. If you tunnel to your home router you will need to configure an IPSec tunnel mode connection, otherwise you would use an IPSec transport mode connection directly to your server after you allow IP protocol 50 packets through your router. HTH. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Proxy server problem
I set up squid on a remote system so I can browse the internet from that IP address. It works but it stalls frequently. I had similar results with ziproxy. I went over this with the squid list but we got nowhere as it seems to be some kind of a system or network problem. http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-3-5-hangs-the -en tire-system-td4660893.html Can anyone here help me figure out what is wrong? I'm not sure where to start. - Grant Just a quick pointer in case it applies to you: if you tunnel into the proxy machine (using ssh, VPN, proxychains and what not) you would suffer from packet fragmentation, which could quickly snowball. In this case try reducing your mtu to lower values, than the default ethernet 1500 byte packets, to cater for the overhead of the larger tunnelling headers. I've tried disconnecting from my SSH tunnel and changing the mtu on my laptop and on the remote proxy server via ifconfig and there is some kind of an improvement but I can't narrow it down. I've tried mtu down to 1000 on both systems but the proxy server still stalls sometimes. Any tips for narrowing this down further? - Grant Now that you mentioned using ssh, I don't think that you can improve this. An mtu at 1000 bytes is lower than I thought might have helped. The problem is caused by stacking tcp packets (tcp within tcp) each of which is using its own timeout for failed fragments. I think I may have misunderstood you. I do SSH into the machine running squid, but I don't tunnel through that connection in order to use the proxy. I connect to the remote squid instance directly via my browser and I also happen to SSH into the same machine to run commands. Do any of your recommendations apply in this scenario? - Grant The problem is explained here (tcp meltdown): http://sites.inka.de/~W1011/devel/tcp-tcp.html and here (useful relevant references to other works are also made): http://publications.lib.chalmers.se/records/fulltext/123799.pdf There are some suggested solutions like increasing buffer size, but I don't know this might work in a real world use case. You can experiment with different buffer sizes as suggested here and see if it makes a difference: http://www.cyberciti.biz/faq/linux-tcp-tuning/ If the interruptions are not acceptable to you, you could consider using a different tunnel method. A network layer VPN, like IPSec (you can use StrongSwan which also offers IKEv2 and MOBIKE for your laptop, or ipsec-tools with racoon for IKEv1 only) should work without such problems. You will be tunnelling tcp in udp packets. If you tunnel to your home router you will need to configure an IPSec tunnel mode connection, otherwise you would use an IPSec transport mode connection directly to your server after you allow IP protocol 50 packets through your router.
Re: [gentoo-user] unencrypted network tools
On Thursday 15 December 2005 09:17 pm, Boyd Stephen Smith Jr. wrote: On Thursday 15 December 2005 09:10 pm, Grant wrote: How can I see what is happening as far as traffic on my unencrypted network? tcpdump ntop is a good network summary program too. Works good if you can run it on your default gateway machine. tcpdump is pretty cool for sure. How can I keep my own http traffic private? Use https instead. IPSec is another option, if supported. Also, traffic is normally only passed along the links between you and the server, unless there's some hub between you can them. You may be able to anonymize normal http by using tor. I think freenet also provides some level of anonymity and encryption for http, but I've never used it. You can only use https on servers that support it. The question is too vague to answer without specifying from who do you want to keep the data private? Just people on your local network? Your ISP? Your boss? The http servers? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Good 'layman' tutorial on IPv4 IPv6?
On Jan 20, 2012, at 9:36 PM, Walter Dnes waltd...@waltdnes.org wrote: On Fri, Jan 20, 2012 at 10:45:08AM -0600, Chris Frederick wrote If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help assign a /48 to you). If it's a unique ***LOCAL*** address, then why is it a problem if multiple places on the planet use it??? Doesn't sound very local to me. The idea being, they are globally unique. Assume network XYZ needs to merge with network ABC. What happens in IPv4 when they both use the same private address space, you could be looking at re-assigning an entire 10/8 address block, including all services. It sucks. For IPv6, you go to the end point router for each network, configure a route to the opposite network, add some optional firewall/IPSec rules, and you're done. This saves days, if not weeks, of work with little, or no downtime. Home users probably won't care, most will probably use the public address space given to them from their ISP. Chris
Re: [gentoo-user] openrc start-stop-daemon problem
On Tuesday 09 Jun 2015 15:46:39 cov...@ccs.covici.com wrote: Hi. I am having a problem with openrc 16.4 where start-stop daemon complains like this fopen /var/run/some service (happens to almost all of them) no such file or directory, but -- using the interactive feature -- I see that the pid file is actually is there. /var/run is a simlink to /run which is a tmpfs file system. It looks like permissions are correct as well, so I have no idea why this is happening. When the system shuts down, start-stop-daemon still complains and has some other way to find the process, but its still annoying. Thanks in advance for any suggestions. Not sure why this is happening, but I have noticed the same with some applications (ipsec-tools springs to mind). I think it started when /var/run, /var/lock and /dev/shm (? not sure) were moved over to /run/*. I assumed that this is because some package maintainers may have not caught up with the fs change yet. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Install Gentoo on remote server
>> Is there a better way? If not, is there an easy way to set up that >> VPN connection? I've always read that OpenVPN is a bear and I've been >> lucky enough to avoid needing it all this time. > > Bear, in what sense? Slow, hard? Hard. It seems like a waste to become acquainted with OpenVPN for just this purpose. I've been using Gentoo on all of my systems for nearly 15 years and haven't needed it otherwise. > I've been using it for years and I love it. It's definitely easier to > set up than IPSec. All my DNS (and some other UDP stuff) goes over > OpenVPN. At times I even had a "ssh -D" SOCKS proxy on the other end, > so double encryption, with no slowdown to notice. > > Now if SoftLayer or the warty tools they provide want a particular kind > of VPN, that would be real problem. Potential rabbit hole. - Grant
[gentoo-user] Re: Install Gentoo on remote server
On 2017-07-20 08:42, Grant wrote: > Is there a better way? If not, is there an easy way to set up that > VPN connection? I've always read that OpenVPN is a bear and I've been > lucky enough to avoid needing it all this time. Bear, in what sense? Slow, hard? I've been using it for years and I love it. It's definitely easier to set up than IPSec. All my DNS (and some other UDP stuff) goes over OpenVPN. At times I even had a "ssh -D" SOCKS proxy on the other end, so double encryption, with no slowdown to notice. Now if SoftLayer or the warty tools they provide want a particular kind of VPN, that would be real problem. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. Do obvious transformation on domain to reply privately _only_ on Usenet.
Re: [gentoo-user] Re: Install Gentoo on remote server
On Thu, Jul 20, 2017 at 12:23 PM, Grant <emailgr...@gmail.com> wrote: >>> Is there a better way? If not, is there an easy way to set up that >>> VPN connection? I've always read that OpenVPN is a bear and I've been >>> lucky enough to avoid needing it all this time. >> >> Bear, in what sense? Slow, hard? > > > Hard. It seems like a waste to become acquainted with OpenVPN for > just this purpose. I've been using Gentoo on all of my systems for > nearly 15 years and haven't needed it otherwise. > Learning how to set up a VPN connection, which is probably what they are asking you to do, is not a waste of time. KVM or some variation of it is the standard way to do this (though I very much detest it, as each server is essentially preinstalled with unmodifiable firmware that has control over your physical hardware). > >> I've been using it for years and I love it. It's definitely easier to >> set up than IPSec. All my DNS (and some other UDP stuff) goes over >> OpenVPN. At times I even had a "ssh -D" SOCKS proxy on the other end, >> so double encryption, with no slowdown to notice. >> >> Now if SoftLayer or the warty tools they provide want a particular kind >> of VPN, that would be real problem. > > > Potential rabbit hole.
Re: [gentoo-user] Networkmanager VPNC key timeout
Hello, Am Montag, 2. März 2015, 21:01:48 schrieb Mick: On Monday 02 Mar 2015 18:07:45 Petric Frank wrote: Hello, this is not a Gentoo problem per se, but i'm getting it under Gentoo. Runninng KDE + Networkmanager (net-misc/networkmanager-0.9.10.1_pre20141101) together with vpnc plugin (net-misc/networkmanager-vpnc-0.9.10.0). I have set up a VPN connection to a AVM FritzBox (which is using - as far as i can evaluate - a Cisco like IPSec tunnel). This is running very well, but after exactly 1 hour the connection is dropped. I can reconnect, but it also lasts 1 hour. After som crawlng though the net it seems that a key validity runs ot of time at the client side. I t looks like this one https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 The nmcli output for this connection reads like this (some obfusicated): cut - = == Details des Verbindungsprofils (XX) = == connection.id: XX connection.uuid: 11--3 connection.interface-name: -- connection.type:vpn connection.autoconnect: no connection.timestamp: 1425319416 connection.read-only: no connection.permissions: connection.zone: connection.master: -- connection.slave-type: -- connection.secondaries: connection.gateway-ping-timeout:0 - -- ipv4.method:auto ipv4.dns: ipv4.dns-search: ipv4.addresses: ipv4.routes: ipv4.ignore-auto-routes:yes ipv4.ignore-auto-dns: no ipv4.dhcp-client-id:-- ipv4.dhcp-send-hostname:yes ipv4.dhcp-hostname: -- ipv4.never-default: yes ipv4.may-fail: no - -- ipv6.method:ignore ipv6.dns: ipv6.dns-search: ipv6.addresses: ipv6.routes: ipv6.ignore-auto-routes:no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: 0 (deaktiviert) ipv6.dhcp-hostname: -- - -- vpn.service-type: org.freedesktop.NetworkManager.vpnc vpn.user-name: -- vpn.data: Local Port = 0, IKE DH Group = dh2, Perfect Forward Secrecy = server, Xauth password-flags = 1, IPSec ID = u...@host.loc, IPSec gateway = open.nsupdate.info, Xauth username = u...@host.loc, Cisco UDP Encapsulation Port = 0, Vendor = cisco, IPSec secret- flags = 1, NAT Traversal Mode = natt vpn.secrets: cut - Any hints ? regards Petric Going from memory here, but I recall that the VPNC client had problems rekeying SAs in Phase 2. I seem to recall there was bug but can't recall if it was ever patched. Yep - see here, a regression problem with version net-misc/vpnc-0.5.3: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2009-July/003127.html I see that portage has 0.5.3_p527-r1 as stable, but I don't know if this includes any necessary patches. You could check the changelog. The homepage on vpnc in chapter TODO tells: phase2-rekeying is now supported as of svn revision 126! Changelog states for 0.5.2: Fix Phase 2 rekeying, by various authors I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the last 7 years. BTW, have you tried more actively developed VPN software like strongswan (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if you're getting the same problem? I think that they should work with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. strongswan is in the stable tree but not the networkmanager plugin. I tried the one from the zugaina overlay (v. 1.3.0) but it seems to miss the dependency to libgnomeui. I do not have gnome installed (and don't intend to do so). My desktop is a kde one. Anyone has a ebuild/package not requiring gnome ? regards Petric
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
On 03/08/2013 07:45 PM, Kevin Chadwick wrote: What would have been best, could have been done years ago and not cost lots of money and even more in security breaches and what I meant by ipv5 and would still be better to switch to even today with everyone being happy to switch to it is simply ipv4 with more bits for address space. This should be FAQ entry zero for the IPV6 FAQ... *NO* you can *NOT* add more bits to IPV4, and still have it backwards compatable. It won't work... period... end of story. Every piece of hardware and software that deals with IPV4 has the concept of 32 bits *HARD-CODED* into it. Switching over to IPV4-extended would be just as painfull as switching over to IPV6. No it would not, the headers would be different. All the hardware would have already updated because there would be no bad sides and it would have been released something like 15 years ago. But lets not discuss them as we would be here for an eternity and there are already whole websites dedicated to just that. I don't know, you just dropped the 2-3 most trollish anti-IPv6 posts I've ever seen. I re-iterate it would be worth hardware not being backwards compatible again to go to ipv4 with large address space today. IPv4 with large address space would have taken just as long to deploy; it's the hardware support that's held us back the most. http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf That's just on security. There's a whole bad side to it's functionality too. Let's discuss security. I'll walk through the slide deck. We have much less experience with IPv6 than with IPv4 That's a meaningless statement... IPv6 implementations are much less mature than their IPv4 counterparts. Only in hardware Software has been much better. Windows has had full IPv6 support since Vista. Linux has had full IPv6 support for a few years, including IPSec. The software implementations are written...the stuff that's still arriving is feature-add. Offload engines and managed switches haven't switched over because clients were more interested in putting off a transition (the same transition you'd have to go through for IPv4 with extended address space) than paying for the upgrades. This would have happened with any IPv4 replacement. Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4 Dedicated commercial products, yes. General-purpose products? Like I said, Windows Vista made IPv6 a first-class protocol, including firewall support. Linux's implementation is a bit quirky. I don't care for the separation between iptables and ip6tables; I think people tend to write an iptables script and forget to set up a firewall of any kind for IPv6. Most of the builder tools (i.e. fwbuilder), require seperate setup between the two, too. That's why I use sanewall (formerly firehol); defined rules apply to both IPv4 and IPv6. The complexity of the resulting network will greatly increase during the transition/co-existence period: Yes, and that would apply to any transition period. Lack of trained human resources That's why people like me go out and do training sessions. (I'll be at Penguicon again this year, if anyone else was thinking about going...) That's why Hurricane Electric offers free online certification programs. Regarding flow labels: Currently unused by many stacks – others use it improperly Honestly, I don't know about this. It's not something most people will need to work with. Might be leveraged to perform “dumb” (stealth) address scans I don't understand the relevance; you get the same information by observing the packet flow without the flow label. Might be leveraged to perform Denial of Service attacks So might absolutely anything. Regarding hop limit: Could be leveraged for Detecting the Operating System of a remote node So can IPv4's TTL, which it's analogous to. Could be leveraged for Fingerprinting a remote physical device So can IPv4's TTL, which it's analogous to. Could be leveraged for Locating a node in the network topology tcptraceroute does this with IPv4 TTLs. And traceroute has been doing this with IPV4's ICMP echo for decades. Could be leveraged for Evading Network Intrusion Detection Systems (NIDS) Just like IPv4 TTL. Could be leveraged for Reducing the attack exposure of some hosts/applications Not sure what's being said here, but we're talking about a feature directly analogous to IPv4 TTL. (skipping the remainder of the section, as there's nothing in there that's bad that's unique to IPv6) (skipping the next several sections, as they're just general technical training material, and don't discuss security implications) Re Fragmentation security implications that are different from IPv4: The Identification field is much larger: chances of “IP ID collisions” are reduced Good thing. Note: Overlapping fragments have been recently forbidden (RFC 5722) – but they are still allowed by many
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
On 03/09/2013 07:53 AM, Kevin Chadwick wrote: There is no reason to believe that IPv6 will result in an increased use of IPsec. Bull. The biggest barrier to IPsec use has been NAT! If an intermediate router has to rewrite the packet to change the apparent source and/or destination addresses, then the cryptographic signature will show it, and the packet will be correctly identified as having been tampered with! http://marc.info/?l=openbsd-miscm=135325641430178w=2 It's hardly difficult to get around that now is it. Sure, you can use an IP-in-IP tunnel...but that's retarded. IPSec was designed from the beginning to allow you to do things like sign your IP header and encrypt everything else (meaning your UDP, TCP, SCTP or what have you). Setting up a tunnel just so your IP header can be signed wastes another 40 bytes for every non-fragmented packet. Ask someone trying to use data in a cellular context how valuable that 40 bytes can be. You are wrong the biggest barrier is that it is not desirable to do this as there are many reasons for firewalls to inspect incoming packets. I don't agree with things like central virus scanning especially by damn ISPs using crappy Huawei hardware, deep inspection traffic shaping rather than pure bandwidth usage tracking or active IDS myself but I do agree with scrubbing packets. It's not the transit network's job to scrub packets. Do your scrubbing at the VPN endpoint, where the IPSec packets are unwrapped. Trusting the transit network to scrub packets is antithetical to the idea of using security measures to avoid MITM and traffic sniffing attacks in the first place! I never said it was. I was more thinking of IPSEC relaying which would be analogous to a VPN end point but without losing the end-end, neither are desirable, NAT has little to do with the lack of IPSEC deployment. What do you gain considering the increased resources, pointlessly increasing chances of cryptanalysis and pointlessly increasing the chances of exploitation due to the fact that the more complex IPSEC itself can have bugs like Openssl does, not to mention amplifying DDOS without the attacker doing anything, which is the biggest and more of a threat than ever, or are you going to stop using the internet. When ipv4 can utilise encryption without limitations including IPSEC but more appropriately like ssh just fine when needed you see it is simply not desirable and a panacea that will not happen. You are simply in a bubble as the IETF were. With IPsec, NAT is unnecessary. (You can still use it if you need it...but please try to avoid it!) Actually it is no problem at all and is far better than some of the rubbish ipv6 encourages client apps to do. (See the links I sent in the other mail) Please read the links before you send them, and make specific references to the content you want people to look at. I've read and responded to the links you've offered (which were links to archived messages on mailing lists, and the messages were opinion pieces with little (if any) technical material.) Re DNS support for IPv6 Increased size of DNS responses due to larger addresses might be exploited for DDos attacks That's not even significant. Have you looked at the size of DNS responses? The increased size of the address pales in comparison to the amount of other data already stuffed into the packet. It's been ages since I looked at that link and longer addresses would certainly be needed anyway but certainly with DNSSEC again concocted by costly unthoughtful and unengaging groups who chose to ignore DJB and enable amplification attacks. What from DJB did they ignore? I honestly don't know what you're talking about. They completely ignored dnscurve.org or that RSA768 was not strong enough to be a good choice and ECDSA should be looked at and most importantly the DOS amplification (we are talking years ago). I even had a discussion with a dns caching tools (that I do like a lot) author who completely dismissed the potential of RSA being broken for years and years. Guess what's come to light since. His latest on the DNS security mess http://cr.yp.to/talks/2013.02.07/slides.pdf I've never before in my life seen someone animate slideshow transitions and save off intermediate frames as individual PDF pages. That was painful. Yeah, xpdf worked well though. I actually couldn't find the link and looked it up and thought it was just an update of 2012 as it had the same title and only got around to reading it about an hour later. So, I read what was discussed there. First, he describes failings of HTTPSEC. I don't have any problem with what he's talking about there, honestly; it makes a reasonable amount of sense, considering intermediate caching servers aren't very common for HTTP traffic, and HTTPS traffic makes intermediate caching impossible. (unless
Re: [gentoo-user] unencrypted network tools
How can I see what is happening as far as traffic on my unencrypted network? tcpdump ntop is a good network summary program too. Works good if you can run it on your default gateway machine. tcpdump is pretty cool for sure. The network is just run from a router. No server on which I can run that stuff. Is there anything I can use from my workstation which is connected to the network? How can I keep my own http traffic private? Use https instead. IPSec is another option, if supported. Also, traffic is normally only passed along the links between you and the server, unless there's some hub between you can them. You may be able to anonymize normal http by using tor. I think freenet also provides some level of anonymity and encryption for http, but I've never used it. You can only use https on servers that support it. The question is too vague to answer without specifying from who do you want to keep the data private? Just people on your local network? Your ISP? Your boss? The http servers? I'm only trying to keep the data private from the other people on the local network. - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Bootstrap USE flags opinions?
Billy Holmes wrote: Richard Fish wrote: FYI, -mcpu is deprecated, and a synonym for -mtune, which is implied by -march. So you can just take it out and get the same effect. I think some ebuilds filter out march, but don't filter out mcpu/mtune, so you can still get some processor specific optimizations out of it. A quick grep of /usr/portage shows that many builds will use replace-flags to replace one -march setting with another or with -mtune/-mcpu. There are a few that can filter -march altogether: 1. net-firewall/ipsec-tools: filters all -march=c3 2. media-libs/libvorbis: filters -march=pentium?. 3. dev-lang/squeak: filters all -march, -mtune, -mcpu, and many many other flags. 4. dev-libs/libffi: filters -march=k8, -march=athlon64, and march=opteron. 5. app-editors/emacs: filters all -march (only in 21.4-r1) 6. app-pda/iripdb: filters march=k8, -march=athlon64, and -march=opteron 7. media-tv/mythtv: filters all -march, -mtune, and -mcpu. So for #1, 2, 4, 5, and 6, you are correct that mtune/mcpu could have some benefit. However, IMO these are actually bugs...the ebuild should be using replace-flags to set the appropriate -mtune option if it cannot support -march. For #3 7, you get no benefit of any march/mtune/mcpu settings. Cheers, -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Networkmanager VPNC key timeout
On Monday 02 Mar 2015 22:13:05 Petric Frank wrote: Hello, Am Montag, 2. März 2015, 21:01:48 schrieb Mick: The homepage on vpnc in chapter TODO tells: phase2-rekeying is now supported as of svn revision 126! Changelog states for 0.5.2: Fix Phase 2 rekeying, by various authors I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the last 7 years. OK, then yes, it has been fixed and your problem is not related to that old bug, but could it be a more recent regression? BTW, have you tried more actively developed VPN software like strongswan (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if you're getting the same problem? I think that they should work with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. No, this only good for the SSL VPN solution of Cisco. strongswan is in the stable tree but not the networkmanager plugin. Are you sure? This is what I see here for strongswan-5.2.2 [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager ^^ +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led +strongswan_plugins_lookip strongswan_plugins_ntru strongswan_plugins_padlock strongswan_plugins_rdrand +strongswan_plugins_systime-fix strongswan_plugins_unbound +strongswan_plugins_unity +strongswan_plugins_vici strongswan_plugins_whitelist] The latest version 5.2.2 has a bug with some IKEv1 implementations. There is a patch proposed which works and will be included in the next version 5.2.3 when released. If your VPN server is affected then you'll have to apply the patch yourself in a local overlay: https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Networkmanager VPNC key timeout
Hello Mick, Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick: The homepage on vpnc in chapter TODO tells: phase2-rekeying is now supported as of svn revision 126! Changelog states for 0.5.2: Fix Phase 2 rekeying, by various authors I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the last 7 years. OK, then yes, it has been fixed and your problem is not related to that old bug, but could it be a more recent regression? maybe. BTW, have you tried more actively developed VPN software like strongswan (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if you're getting the same problem? I think that they should work with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. No, this only good for the SSL VPN solution of Cisco. good to know. strongswan is in the stable tree but not the networkmanager plugin. Are you sure? This is what I see here for strongswan-5.2.2 [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager ^^ +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led +strongswan_plugins_lookip strongswan_plugins_ntru strongswan_plugins_padlock strongswan_plugins_rdrand +strongswan_plugins_systime-fix strongswan_plugins_unbound +strongswan_plugins_unity +strongswan_plugins_vici strongswan_plugins_whitelist] True, strongswan is in tree, but not networkmanager-strongswan (NetworkManager plugin). The latest version 5.2.2 has a bug with some IKEv1 implementations. There is a patch proposed which works and will be included in the next version 5.2.3 when released. If your VPN server is affected then you'll have to apply the patch yourself in a local overlay: https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 Stable strongswan is already compiled and installed on my system. Any of the strongswan_plugins_* use flags i have to enable here ? But it could take some days (because of my business job). regards Petric
Re: [gentoo-user] openrc start-stop-daemon problem
Mick michaelkintz...@gmail.com wrote: On Tuesday 09 Jun 2015 15:46:39 cov...@ccs.covici.com wrote: Hi. I am having a problem with openrc 16.4 where start-stop daemon complains like this fopen /var/run/some service (happens to almost all of them) no such file or directory, but -- using the interactive feature -- I see that the pid file is actually is there. /var/run is a simlink to /run which is a tmpfs file system. It looks like permissions are correct as well, so I have no idea why this is happening. When the system shuts down, start-stop-daemon still complains and has some other way to find the process, but its still annoying. Thanks in advance for any suggestions. Not sure why this is happening, but I have noticed the same with some applications (ipsec-tools springs to mind). I think it started when /var/run, /var/lock and /dev/shm (? not sure) were moved over to /run/*. I assumed that this is because some package maintainers may have not caught up with the fs change yet. I also notice that many files still use runscript and have not fixed the name change for that. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici cov...@ccs.covici.com
Re: [gentoo-user] Networkmanager VPNC key timeout
On Tuesday 03 Mar 2015 19:52:14 Petric Frank wrote: Hello Mick, Am Dienstag, 3. März 2015, 00:00:17 schrieb Mick: The homepage on vpnc in chapter TODO tells: phase2-rekeying is now supported as of svn revision 126! Changelog states for 0.5.2: Fix Phase 2 rekeying, by various authors I don't know whether this is along your statement above. So it seems not to be completely fixed. The homepage is not updated the last 7 years. OK, then yes, it has been fixed and your problem is not related to that old bug, but could it be a more recent regression? maybe. BTW, have you tried more actively developed VPN software like strongswan (it has a networkmanager plugin) or even ipsec-tools instead of vpnc, to see if you're getting the same problem? I think that they should work with Cisco VPN gateways, although it may be fiddly to set them up. i can find only ebuilds of (networkmanager-)openswan in the official tree. No, this only good for the SSL VPN solution of Cisco. good to know. I beg your pardon, I typed too fast. I was referring to net-misc/openconnect, which is an alternative client for Cisco AnyConnect SSL VPN. The net- misc/openswan package is hard masked because of the security bug #499870. You could try net-misc/libreswan instead, a fork of openswan. It may just work with the net-misc/networkmanager-openswan plugin. strongswan is in the stable tree but not the networkmanager plugin. Are you sure? This is what I see here for strongswan-5.2.2 [+caps +constraints curl debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager ^^ +non-root +openssl pam pkcs11 sqlite strongswan_plugins_blowfish strongswan_plugins_ccm strongswan_plugins_ctr strongswan_plugins_gcm strongswan_plugins_ha strongswan_plugins_ipseckey +strongswan_plugins_led +strongswan_plugins_lookip strongswan_plugins_ntru strongswan_plugins_padlock strongswan_plugins_rdrand +strongswan_plugins_systime-fix strongswan_plugins_unbound +strongswan_plugins_unity +strongswan_plugins_vici strongswan_plugins_whitelist] True, strongswan is in tree, but not networkmanager-strongswan (NetworkManager plugin). My understanding is that as long as you enable the networkmanager plugin in the strongswan package, it will interoperate with the networkmanager front end - but I have not tried it. Reading now the relevant webpage it says that it is *only* available for IKEv2 - so probably not good for your use case. https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager The latest version 5.2.2 has a bug with some IKEv1 implementations. There is a patch proposed which works and will be included in the next version 5.2.3 when released. If your VPN server is affected then you'll have to apply the patch yourself in a local overlay: https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/479632 Stable strongswan is already compiled and installed on my system. Any of the strongswan_plugins_* use flags i have to enable here ? Since its networkmanager plugin is only useful for IKEv2 I don't think it would make any odds. You can enable it anyway and initially try it from the command line (/etc/init.d/ipsec start) to see if it works with the Cisco VPN gateway. If it does, then try it with the networkmanager front end, but I don't expect this to work. If a GUI is a must for you, libreswan with the net-misc/networkmanager-openswan plugin may be a better bet. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
On 03/11/2013 06:34 PM, Kevin Chadwick wrote: On 03/09/2013 07:53 AM, Kevin Chadwick wrote: There is no reason to believe that IPv6 will result in an increased use of IPsec. Bull. The biggest barrier to IPsec use has been NAT! If an intermediate router has to rewrite the packet to change the apparent source and/or destination addresses, then the cryptographic signature will show it, and the packet will be correctly identified as having been tampered with! http://marc.info/?l=openbsd-miscm=135325641430178w=2 I believe you've misunderstood what Brauer is saying there. NAT needs to process every packets opposed to the !NAT case, where a router doesn't have to process every packet. rrright. Here, when Brauer is talking about processing, he's not talking about tampering with (modifying) packets, he's talking about inspecting them as part of connection state and for other things. This is absolutely distinct from *modifying* the packet, which is what IPsec is intended to detect. I also wouldn't count 'dropping' packets as modification, as: A) an intermediate firewall isn't likely to allow any packet of a stream through to begin with if it's going to block any packet in the stream at all. B) Handling of dropped packets is the responsibility of the transport layer. UDP is supposed to handle it in stride. TCP is supposed to notice and retry. It's hardly difficult to get around that now is it. Sure, you can use an IP-in-IP tunnel...but that's retarded. IPSec was designed from the beginning to allow you to do things like sign your IP header and encrypt everything else (meaning your UDP, TCP, SCTP or what have you). Setting up a tunnel just so your IP header can be signed wastes another 40 bytes for every non-fragmented packet. Ask someone trying to use data in a cellular context how valuable that 40 bytes can be. You are wrong the biggest barrier is that it is not desirable to do this as there are many reasons for firewalls to inspect incoming packets. I don't agree with things like central virus scanning especially by damn ISPs using crappy Huawei hardware, deep inspection traffic shaping rather than pure bandwidth usage tracking or active IDS myself but I do agree with scrubbing packets. It's not the transit network's job to scrub packets. Do your scrubbing at the VPN endpoint, where the IPSec packets are unwrapped. Trusting the transit network to scrub packets is antithetical to the idea of using security measures to avoid MITM and traffic sniffing attacks in the first place! I never said it was. I was more thinking of IPSEC relaying which would be analogous to a VPN end point but without losing the end-end, neither are desirable, Please, explain to me what the heck you mean, then? When you say You are wrong the biggest barrier is that it is not desirable to do this as there are many reasons for firewalls to inspect incoming packets. I can't possibly understand what you're talking about except with the context you've given me. The only other thing I can take from what you're saying up to this point is that you believe VPNs are bad, which I find, well, laughable. NAT has little to do with the lack of IPSEC deployment. You keep saying this, but saying a thing doesn't make it understood; you have to explain why. What do you gain considering the increased resources, You mean the bandwidth overhead of the ESP and/or AH headers? As opposed to, what, TLS? GRE? IP-in-TLS-in-IP? Let me have a clean, cheap TCP-on-ESP-on-IP stack for my campus-to-campus connections! pointlessly increasing chances of cryptanalysis and pointlessly increasing the chances of exploitation due to the fact that the more complex IPSEC itself can have bugs like Openssl does, If I read your argument correctly, you would view encryption in general as harmful? not to mention amplifying DDOS without the attacker doing anything, which is the biggest and more of a threat than ever, One of my servers is currently undergoing a SYN flood. I'm well aware that the Internet is a dangerous place. Honestly, if someone wants to DDOS you, the increased amplification factor of DNSSEC isn't going to be the deciding factor of whether your server stays up or goes down. or are you going to stop using the internet. Use hyperbole much? When ipv4 can utilise encryption without limitations including IPSEC but more appropriately like ssh just fine when needed you see it is simply not desirable and a panacea that will not happen. You are simply in a bubble as the IETF were. For the purposes of tunnels, I've used IPsec on IPv4, SSH and TLS. Quite frankly? IPsec on IPv6 is the least painful option of all of these. IPsec on IPv4 is frustrating because the VPN clients are poorly implemented, and you *must* use TCP/UDP-in-ESP/AH-in-(optional TCP or UDP in)-IP, or you're not going to get through NAT without getting the network administrator
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Sun, 17 May 2009 12:07:33 +0100 Mick michaelkintz...@gmail.com wrote: On Sunday 17 May 2009, Mick wrote: Thanks Graham, On Saturday 16 May 2009, Graham Murray wrote: Here are some samples. [8] The more I try to use VPN the more I love SSH! http://bugs.gentoo.org/87920 Mick -- This is a *very* old bug. But it still happens. WTF... I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?) Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste... For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :( So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.) I have: net-firewall/ipsec-tools net-dialup/xl2tpd net-dialup/ppp --is this needed? I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.) Is there some other package that should be needed to make this all work? Do I need ppp at all? Isn't XL2TPD the full replacement? Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin: . . . /etc/init.d/xl2tpd start * Starting xl2tpd ...[ ok ] May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP. May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180 May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001 May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002 May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006 May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701 So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.) /etc/init.d/racoon start * Loading ipsec policies from /etc/ipsec.conf. * Starting racoon ...[ ok ] May 19 10:27:11 lappy hald [ loads additional crypt modules ] Module Size Used by twofish 5568 0 twofish_common 12672 1 twofish serpent15936 0 blowfish7104 0 sha256_generic 10240 0 May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net) May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/) May 19 10:27:12 lappy racoon: INFO: Reading configuration from /etc/racoon/racoon.conf May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600 May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0 May 19 10:27:12 lappy racoon: DEBUG2: encklen=0 May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1 May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5) May 19 10:27:12 lappy racoon: DEBUG2: SHA(2) May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2) May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1) May 19 10:27:12 lappy racoon: DEBUG2: May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. [ And there is only 'deflate' available anyway... ?? ] May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2 May 19 10:27:12 lappy racoon: DEBUG2: parse successed. May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management. May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0) May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo) May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port. May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T May 19 10:27:12 lappy
Re: [gentoo-user] unencrypted network tools
On Thursday 15 December 2005 10:08 pm, Grant wrote: How can I see what is happening as far as traffic on my unencrypted network? tcpdump ntop is a good network summary program too. Works good if you can run it on your default gateway machine. tcpdump is pretty cool for sure. The network is just run from a router. No server on which I can run that stuff. Is there anything I can use from my workstation which is connected to the network? You can run it on your workstation as well and you will see broadcast traffic and traffic going to your computer. If you are on a hub, you should see all traffic connected to the hub. How can I keep my own http traffic private? Use https instead. IPSec is another option, if supported. Also, traffic is normally only passed along the links between you and the server, unless there's some hub between you can them. You may be able to anonymize normal http by using tor. I think freenet also provides some level of anonymity and encryption for http, but I've never used it. You can only use https on servers that support it. The question is too vague to answer without specifying from who do you want to keep the data private? Just people on your local network? Your ISP? Your boss? The http servers? I'm only trying to keep the data private from the other people on the local network. Who administrates your router and/or network? What kind of router is it? Are you using a swtich? Assuming you have a basic network setup using a simple switch and a simple router you would generally be private for outgoing http traffic unless there is someone sophisticated enough to be running something like ettercap to confuse the switch. If you have no idea and if you have a remote computer you can connect to for browsing (maybe something at your home or elsewhere) you can remote control into it (using ssh tunnels for encryption) and then browse privately from that machine. Are you expecting the other hosts on your network to be monitoring your http traffic? If there is some suspected method of them monitoring you it may require a specific technique to avoid their monitoring. In any case, where does gentoo fall into this whole deal? This is a gentoo list. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Good 'layman' tutorial on IPv4 IPv6?
On 01/20/12 05:07, Tanstaafl wrote: On 2012-01-19 5:32 PM, Mick michaelkintz...@gmail.com wrote: On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafltansta...@libertytrek.org wrote: I have a reasonable grasp of how to use IP addresses etc with IPv4, but every time I start rading about IPv6 I get a headache... Does anyone know of a decent tutorial written specifically to those who have an ok (but not hugely in-depth) understanding of IPv4, and doesn't get bogged down in too many technical details, but simply explains what you need to know to be able to transition to it and use it effectively *and securely* - and/or how *not* to have to expose your entire private network to the world (what IPv4 NAT protects you from)? I've been doing IPv6 presentations at LUGs and tech cons, and I'm getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty sure I'm also not the most knowledgeable on this list wrt IPv6, either. Still, what would you like to know? (I can use your questions as fodder and experience for future presentations. ^^) Now that IPv6 is enabled by default on Linux, is one meant to duplicate all the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from what I saw in the config file it is either 4 or 6 that one can activate. Perhaps this has improved with later versions. That was the very first question (and headache) I got from looking at this. The OP would probably have more questions, but if you ever pull together a pack of slides I would much appreciate a link to look at them. I really wouldn't know where to start... that is why I was looking for a decent tutorial that covered the topic in total, so I could hopefully get to the point that I *could* ask some intelligent questions about it... One very general question I have is, how can you - or even *can* you - hide all of your internal devices from the outside world, similar to how the use of 'private' IP's behind a NAT'd firewall are hidden from the outside world (nor directly accessible). I definitely do *not* want all of my internal devices directly accessible from the internet. If you want a good place to start, try Mark Newton's AusCERT IPv6 talk. http://risky.biz/AusCERT-Newton It's not exactly laymen, but I still recommend it. It's a good talk taking your IPv4 knowledge and comparing it to the IPv6 equivalents, and brings up some good general ideas that make you think of IPv6 in a practical sense. Unfortunately I haven't found a video version of it. :( I've done a hand full of IPv6 conversions, small to medium networks, I'd be willing to answer some questions if you need help. As for your general question, the short answer is you can't. If you need internet access, then you will have to have public IPs. Question: Why do you want to hide internal devices? I don't expect an answer, this is something you should ask yourself. Is it to protect running services from attack/discovery? Great, that's what your firewall is for, so you don't need to worry about private addresses. Another option is to deploy IPSec for internal services, this would hide internal services even from hosts on the private address space unless they are trusted though IPSec rules. Is it to hide the actual devices? or your network architecture/topology? Scanning for host discovery in IPv6 is not feasible. Consider how big IPv6 is. A typical host discovery scan on an IPv4 private network can be done in a few hours. Given a (really fast) average host discovery of 1000 hosts a second, lets apply some math to your internal IPv6 range. We'll compare both ::/64 and ::/48, which amounts to 2^64 and 2^80 addresses. Your host discovery scan would take between 600 million, and 38 trillion years to check each IP. If you still want private addresses, IPv6 has unique local addresses (fc00::/7 range, http://www.sixxs.net/tools/grh/ula/ has a reg form to help assign a /48 to you). But since there's no address translation, your stuck running dual networks for everything that needs a private address and internet access. It's not entirely a bad thing, but it can be a long tedious process, and some software sucks at it (mysqld). Hope that helps. Chris
Re: [gentoo-user] unencrypted network tools
How can I see what is happening as far as traffic on my unencrypted network? tcpdump ntop is a good network summary program too. Works good if you can run it on your default gateway machine. tcpdump is pretty cool for sure. The network is just run from a router. No server on which I can run that stuff. Is there anything I can use from my workstation which is connected to the network? You can run it on your workstation as well and you will see broadcast traffic and traffic going to your computer. If you are on a hub, you should see all traffic connected to the hub. How can I keep my own http traffic private? Use https instead. IPSec is another option, if supported. Also, traffic is normally only passed along the links between you and the server, unless there's some hub between you can them. You may be able to anonymize normal http by using tor. I think freenet also provides some level of anonymity and encryption for http, but I've never used it. You can only use https on servers that support it. The question is too vague to answer without specifying from who do you want to keep the data private? Just people on your local network? Your ISP? Your boss? The http servers? I'm only trying to keep the data private from the other people on the local network. Who administrates your router and/or network? What kind of router is it? Are you using a swtich? Assuming you have a basic network setup using a simple switch and a simple router you would generally be private for outgoing http traffic unless there is someone sophisticated enough to be running something like ettercap to confuse the switch. There is just a $50 router. It's just a network at my housing complex that everyone connects to. I remember one of my buddies showed me how he could drive around a residential area and see what people were doing on their unencrypted networks as he passed by. I'd like to protect myself against that kind of intrusion and also take informational advantage of those that don't. If you have no idea and if you have a remote computer you can connect to for browsing (maybe something at your home or elsewhere) you can remote control into it (using ssh tunnels for encryption) and then browse privately from that machine. Are you expecting the other hosts on your network to be monitoring your http traffic? If there is some suspected method of them monitoring you it may require a specific technique to avoid their monitoring. In any case, where does gentoo fall into this whole deal? This is a gentoo list. I'm looking for Gentoo tools. - Grant -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Internet security.
There's a lot FUD out there and equally there is some truth. the NSA we can decrypt everything statement was really very vague, and can easily be done if you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the level of security to something that is crackable. for 'compatibility' very many low powered encryption schemes are supported and it is these that are the issue. if you are using ipsec tunnels with aes encryption you can happily ignore these. if you are using mpls networks you can almost guarantee your isp and therefore your network is compromised. the question really is what do you define as security ? if someone was to hit you on the head with a hammer, how long til you willingly gave out your passwords ? [1] I agree with the lack of faith in certificate CA's and i feel that the reason that warnings over ssl are so severe is to spoon feed folks into the owned networks. I far more trust the way mozilla do their web of trust [2] but equally am aware that trolls live in the crowds. while ssh authorized_keys are more secure than passwords, i can't (and am hoping someone can point me to) find how to track failed logins as folks bruteforce their way in. yes it's orders of magnitude more difficult but then internet speed is now orders of magnitude faster, and OTP are looking more sensible every day [3] to me. i used to use windows live messenger and right near the end found that if you send someone a web link to a file filled with /dev/random called passwords.zip you would have some unknown ip connect and download it too. who then is doing that and i trust skype and it's peer2peer nonsense even less. who even knows you can TLS encrypt SIP ? there are many ways of encrypting email but this is not supported from one site to another, even TLS support is often lacking, and GPG the contents means that some folks you send email to cannot read it -- there is always a trade off between usability and security. i read in slashdot that there is a question mark over SELinux because it came from the NSA [4] but this is nonsense, as it is a means of securing processes not network connections. i find it difficult to believe that a backdoor in a locked cupboard in your house can somehow give access through the front door. how far does trust need to be lost [5] before you start fabricating your own chips ? the complexity involved in chip fabs is immense and if bugs can slip through, what else can [6] ultimately a multi layer security approach is required, and security itself needs to be defined. i like privacy so i have net curtains, i don't have a 3 foot thick titanium door with strengthened hinges. if someone looks in my windows, i can see them. either through the window or on cctv. security itself has to be defined so that risk can be managed. so many people buy the biggest lock they can find and forget the hinges. or leave the windows open. even then it doesn't help in terms of power failure or leaking water or gas mains exploding next door (i.e. the definition of security in the sense of safety) to some security means RAID, to others security means offsite backup i like techniques such as port knocking [7] for reducing the size of the scan target if you have a cheap virtual server on each continent and put asterisk on each one; linked by aes ipsec tunnels with a local sip provider in each one then you could probably hide your phone calls quite easily from snoops. until they saw your bank statement and wondered what all these VPS providers and SIP accounts were for, and then the authorities if they were tracking you would go after those. why would you do such a thing? perhaps because you cannot trust the monopoly provider of a country to screen its equipment [8] even things like cookie tracking for advertising purposes - on the lighter side what if your kids see the ads for the stuff you are buying them for christmas ? surprise ruined? where does it stop - its one thing for google to announce governments want your search history, and another for advertising companies to sell your profile and tracking, essentially ad companies are doing the governments snooping job for them. ultimately it's down to risk mitigation. do you care if someone is snooping on your grocery list? no? using cookie tracking ? yeah profiling is bad - wouldn't want to end up on a terrorist watchlist because of my amusement with the zombie apocalypse listmania [9] encryption is important because you don't know what other folks in the internet cafe are doing [10] but where do you draw the line ? if you go into a shop do you worry that you are on cctv ? ok i'll stop ranting now, my main point is always have multi layered security - and think about what you are protecting and from whom [1] http://xkcd.com/538/ [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ [3] http://blog.tremily.us/posts/OTP/ [4] http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards
Re: [gentoo-user] Internet security.
On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote: There's a lot FUD out there and equally there is some truth. the NSA we can decrypt everything statement was really very vague, and can easily be done if you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the level of security to something that is crackable. for 'compatibility' very many low powered encryption schemes are supported and it is these that are the issue. if you are using ipsec tunnels with aes encryption you can happily ignore these. if you are using mpls networks you can almost guarantee your isp and therefore your network is compromised. the question really is what do you define as security ? if someone was to hit you on the head with a hammer, how long til you willingly gave out your passwords ? [1] I agree with the lack of faith in certificate CA's and i feel that the reason that warnings over ssl are so severe is to spoon feed folks into the owned networks. I far more trust the way mozilla do their web of trust [2] but equally am aware that trolls live in the crowds. while ssh authorized_keys are more secure than passwords, i can't (and am hoping someone can point me to) find how to track failed logins as folks bruteforce their way in. yes it's orders of magnitude more difficult but then internet speed is now orders of magnitude faster, and OTP are looking more sensible every day [3] to me. i used to use windows live messenger and right near the end found that if you send someone a web link to a file filled with /dev/random called passwords.zip you would have some unknown ip connect and download it too. who then is doing that and i trust skype and it's peer2peer nonsense even less. who even knows you can TLS encrypt SIP ? there are many ways of encrypting email but this is not supported from one site to another, even TLS support is often lacking, and GPG the contents means that some folks you send email to cannot read it -- there is always a trade off between usability and security. i read in slashdot that there is a question mark over SELinux because it came from the NSA [4] but this is nonsense, as it is a means of securing processes not network connections. i find it difficult to believe that a backdoor in a locked cupboard in your house can somehow give access through the front door. how far does trust need to be lost [5] before you start fabricating your own chips ? the complexity involved in chip fabs is immense and if bugs can slip through, what else can [6] ultimately a multi layer security approach is required, and security itself needs to be defined. i like privacy so i have net curtains, i don't have a 3 foot thick titanium door with strengthened hinges. if someone looks in my windows, i can see them. either through the window or on cctv. security itself has to be defined so that risk can be managed. so many people buy the biggest lock they can find and forget the hinges. or leave the windows open. even then it doesn't help in terms of power failure or leaking water or gas mains exploding next door (i.e. the definition of security in the sense of safety) to some security means RAID, to others security means offsite backup i like techniques such as port knocking [7] for reducing the size of the scan target if you have a cheap virtual server on each continent and put asterisk on each one; linked by aes ipsec tunnels with a local sip provider in each one then you could probably hide your phone calls quite easily from snoops. until they saw your bank statement and wondered what all these VPS providers and SIP accounts were for, and then the authorities if they were tracking you would go after those. why would you do such a thing? perhaps because you cannot trust the monopoly provider of a country to screen its equipment [8] even things like cookie tracking for advertising purposes - on the lighter side what if your kids see the ads for the stuff you are buying them for christmas ? surprise ruined? where does it stop - its one thing for google to announce governments want your search history, and another for advertising companies to sell your profile and tracking, essentially ad companies are doing the governments snooping job for them. ultimately it's down to risk mitigation. do you care if someone is snooping on your grocery list? no? using cookie tracking ? yeah profiling is bad - wouldn't want to end up on a terrorist watchlist because of my amusement with the zombie apocalypse listmania [9] encryption is important because you don't know what other folks in the internet cafe are doing [10] but where do you draw the line ? if you go into a shop do you worry that you are on cctv ? ok i'll stop ranting now, my main point is always have multi layered security - and think about what you are protecting and from whom [1] http://xkcd.com/538/ [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing
Re: [gentoo-user] How to freeze my Gentoo system
On Fri, 3 Apr 2009 10:45:46 +0800 Mark David Dumlao madum...@gmail.com wrote: On Thu, Mar 12, 2009 at 4:13 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Thursday 12 March 2009 10:07:03 Dale wrote: I do understand that getting something stable and working then wanting to keep it that way. I'm just wondering what his mileage may be in the long run. Here's the first significant result with a sync today: These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] app-text/xpdf-3.02-r2 [3.02-r1] USE=-nodrm LINGUAS=-ar -el -he -ja -ko -la -ru -th -tr -zh_CN -zh_TW 0 kB Total: 1 package (1 upgrade), Size of downloads: 0 kB Ahh. ;-) I guess what's important, unless I see some particular reason to upgrade something, would be this: glsa-check -tv affected This system is affected by the following GLSAs: 200808-09 ( OpenLDAP: Denial of Service vulnerability ) 200903-11 ( PyCrypto: Execution of arbitrary code ) for glsa in `glsa-check -t affected` ; do glsa-check -p $glsa ; done This system is affected by the following GLSAs: Checking GLSA 200808-09 The following updates will be performed for this GLSA: net-nds/openldap-2.4.11-r1 (2.3.41) Checking GLSA 200903-11 The following updates will be performed for this GLSA: dev-python/pycrypto-2.0.1-r8 (2.0.1-r6) In the interest of writing really ugly bash scripts: # for glsa in `glsa-check -t affected` ; do equery d $( glsa-check -p $glsa |grep -P '^\s+\w+-\w+/' | perl -pe 's/^\s+(\w+-\w+\/.+)-\d[\d.].+/$1/' ) ; done This system is affected by the following GLSAs: [ Searching for packages depending on net-nds/openldap... ] app-admin/sudo-1.7.0 (ldap? =net-nds/openldap-2.1.30-r1) app-crypt/gnupg-2.0.10 (!static ldap? net-nds/openldap) (ldap? net-nds/openldap) app-emulation/wine-1.1.12 (ldap? net-nds/openldap) dev-db/postgresql-base-8.3.5 (ldap? net-nds/openldap) dev-libs/apr-util-1.3.4 (ldap? =net-nds/openldap-2*) gnome-base/gconf-2.24.0 (ldap? net-nds/openldap) gnome-extra/evolution-data-server-2.24.5-r2 (ldap? =net-nds/openldap-2.0) mail-client/claws-mail-3.7.1 (ldap? =net-nds/openldap-2.0.7) net-firewall/ipsec-tools-0.7.1 (ldap? net-nds/openldap) net-fs/samba-3.0.33 (ldap? net-nds/openldap) net-misc/curl-7.19.4 (ldap? net-nds/openldap) net-misc/openssh-5.1_p1-r2 (ldap? net-nds/openldap) net-misc/openswan-2.4.13-r2 (ldap? net-nds/openldap) net-print/cups-1.3.9-r1 (ldap? net-nds/openldap) www-servers/apache-2.2.10 (ldap? =net-nds/openldap-2*) [ Searching for packages depending on dev-python/pycrypto... ] sys-apps/portage-2.1.6.7 (!build? =dev-python/pycrypto-2.0.1-r6) Looks like I can fix the use flag and clean out ldap if I want to do so, but I'm stuck with pycrypto (or the build use flag): euse -i build global use flags (searching: build) [-] build - !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1] ... that's pretty clear. '-) I can only imagine what will happen if he forgets that package.mask and then removes it six months later:-) I too, have spent a couple of days wondering what was masking a package before remembering that it was me. And just to see if there's any upside evident: mv /etc/portage/package.mask /etc/portage/package.mask.bak emerge -puDNtv system mv /etc/portage/package.mask.bak /etc/portage/package.mask These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] net-misc/openssh-5.2_p1-r1 [5.1_p1-r2] USE=X pam tcpd -X509 -hpn -kerberos -ldap -libedit -pkcs11% (-selinux) -skey -smartcard -static 993 kB [ebuild U ] sys-devel/gcc-4.3.3-r2 [4.3.2-r3] USE=fortran gtk mudflap nls openmp (-altivec) -bootstrap -build -doc (-fixed-point) -gcj (-hardened) -ip28 -ip32r10k -libffi (-multilib) -multislot (-n32) (-n64) -nocxx -nopie -objc -objc++ -objc-gc -test -vanilla 58,063 kB Total: 2 packages (2 upgrades), Size of downloads: 59,055 kB Hmm. # mv /etc/portage/package.mask /etc/portage/package.mask.bak emerge -puDNtv world mv /etc/portage/package.mask.bak /etc/portage/package.mask These are the packages that would be merged, in reverse order: Calculating dependencies... done! [ebuild U ] dev-java/sun-jre-bin-1.6.0.13 [1.6.0.12] USE=X alsa nsplugin odbc 78,284 kB [0] (... and some perl modules). So, that's ssh, gcc and java I can pass on today... figure I can unmask in a month and update any of these packages, if I feel like it. But, http://bugs.gentoo.org/buglist.cgi?quicksearch=xpdf (search on the one update I took), it looks like there was a good gentoo reason and maybe a good gentoo response. As I understand it, if the maintainer thinks the recent changes/patches are significant, I'll get a -rN for a new ebuild. OTOH, If there's a new version of something I care about tracking new