On Sep 01, 2011, Ele Asurareo wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello fwknop list,
Hello Ele, > I'm a new user of fwknop with GPG authentication on Debian. I first > heard about it during Michael's presentation at The Last HOPE and kept > the idea in the reptile brain for the right time. > > I've put together a Xen virtual hosting environment based on the > packages in Debian Stable (Squeeze). It works great! Except for one > mysterious problem. > > I'm connecting to the host OS, which is supported by an ethernet bridge > (xenbr1) between the physical interface (eth1) and the domU virtual > interfaces (vif1.n). xenbr1 is assigned an IP address. fwknopd listens > on xenbr1 in pcap mode. > > I configured fwknopd successfully and sent a successful SPA packet to > the IP of xenbr1. The firewall rule was added to allow access and I > could SSH properly as expected. I went home and tried to connect from > there, which was successful. Two days have passed and I've verified the > server hasn't been rebooted nor has anyone else used SPA to connect to > the SSH port. Strangely, I can no longer get the SPA packet to open the > SSH port. I've confirmed this with nmap. Despite authenticating as > before, I cannot connect. > > I have a few hypothesis I will test tomorrow when I'm in front of a > local console but I would appreciate any special advice to operate > fwknopd reliably on a Linux ethernet bridge. Are you running the perl version or the more updated C version? In virtual environments I've sometimes seen odd behavior with sniffers not seeing the expected traffic, but I don't really have specifics. I think it would be a good idea to see if fwknopd is seeing the traffic at all. You could run "tcpdump -i <intf> -l -nn udp port 62201 -w 62201.pcap" and see if tcpdump is able to log the SPA packets too as an additional check to ensure that sniffers can see the traffic. Another thing to check is whether the system clocks between the fwknopd server system and your client system are relatively in-sync. By default, fwknopd requires the time stamp on any incoming SPA packet to not be older than 120 seconds - this is required in order to prevent a certain type of MITM attack (as discovered by Sebastien). If you really want to disable this (such as if you aren't using NTP and time sync is otherwise difficult), then you can set ENABLE_SPA_PACKET_AGING to "N", but I wouldn't recommend it. fwknopd does supply some log information via syslog that may be helpful too - usually in /var/log/messages. Thanks, --Mike > Thanks for your help, > Ele > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJOYC1aAAoJEAJXVNHGZu/O0mkH/2H5W6XkXDJuwA4H0naYDC1E > hoY38oHiGe7tP65mWy0fxM5y7lzeODRJJGlIjpnGHg11CVbu0wPuLUPFXh3iUmWr > mAxcj0G879lIL0qp/KQ84AafW2FH5RrO8PFNAG1DDTHeqZ/aISGllYA8Ty7UuBFK > gghhP4toCFVPRNK1Z1CylqkWP8tP0waqXp8PNvqmSB0z4ch31uJD9ljHDdn8TXgC > Fxs7lWGqarXvwjYBKeJazYumPkgkCJ6cS9fkP1PGETEhP92B+PibUDV+RQPxrEv/ > J2PO0aMb8U6bQ8X4X/VbleM0nOqx9+ctLmIYkIDuqm9Y6GCwd1p7P9Mm8rRmMO4= > =Cp26 > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Special Offer -- Download ArcSight Logger for FREE! > Finally, a world-class log management solution at an even better > price-free! And you'll get a free "Love Thy Logs" t-shirt when you > download Logger. Secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsisghtdev2dev > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
