Peter Rundle <[email protected]> writes: > Daniel Pittman wrote: > >> Oh. This is a VE inside a Virtuozzo system? (The commercial version of >> OpenVZ, specifically, and a "containers" solution.) Your ISP response >> isn't terribly technically accurate, then. > [snip] > > Thanks again for the information, I was told that it was a Virtual Machine > but didn't realise just how many and varied the VM solutions are that are > out there now.
*nod* Virtuozzo (and OpenVZ) isn't really a "virtual machine" so much as an enhanced chroot, like FreeBSD jails or the earlier Linux VServer and more recent Linux Containers support in the mainline kernel. > My experience with VM's is more of the VMware flavour where you have your > own kernel. *nod* Personally, I dislike the "fake hardware" flavour of virtualization compared to containers, since it makes the whole thing a lot less efficient. It certainly is technically simpler, in many ways[1], which is why it is so much better known. > We've decided to try to get it to work from a test box running Ubuntu. A > real machine but unfortunately behind a NAT gateway. Ah. IPSec and NAT go together like a knife and stabbing yourself: it hurts, rather a lot. :/ > I've googled around looking for a decent HOW-TO but I'm just getting totally > confused now. As I understand it Ipsec has been moved into the kernel and > you just need to install ipsec-tools but the documentation constantly refers > to other products, racoon, setkey and openswan. Yes. OK, let me clarify this: ipsec-tools provides 'setkey', which manipulates the IPSec "security associations" in the kernel. These are used in the ESP and AH protocols that make up the encryption related parts of IPSec. Racoon and Pluto (from OpenSWAN) implement a related-but-not-identical ISAKMP protocol, which is used to negotiate keys between IPSec peers and to manage security associations automatically. > As I understand it Openswan is no longer needed. I'm not sure how racoon > fits into the picture, something about auto key generation? Yes. Both sides need a shared symmetric encryption key for efficiency. You can calculate that from a pre-shared key, but the most common deployment is to use ISAKMP and some sort of shared secret to negotiate, over the insecure network, a shared key.[2] > And where does setkey fit into the picture. It operates on the "security association" database. > None of the authors of the examples seem to remember to write down how to > invoke the actual tunnel, so after following their guides as to what to put > in the configure files they sign off with "that's it good luck". Ah. > Great so I've edited a bunch of text files, I kinda figure however that > isn't going to actually bring the VPN up. Sigh. What you normally need to do is configure one of the ISAKMP tools, then set it running and have it manage the rest of the process for you. > A link to a really good step by step user guide would be much appreciated. http://www.ipsec-howto.org/t1.html Not that I have used it, but it doesn't suck on a quick glance. Since you now have NAT in the picture, go to the KAME section which includes NATT, or NAT Traversal, instructions. Regards, Daniel Footnotes: [1] ...other than obtaining performance assurances and full hardware utilization, of course. [2] Safely, obviously. ;) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
