I am watching the StrongSwan lists, even though not using it frequently anymore. Today I came across an interesting case from one of the users. I will not disclose his identity, but the case was very nice.

The story is like this:

*let’s imagine all boxes run linux, gw and vpn server run strongswan for ipsec

a. the GW establishing s2s ipsec tunnel with the vpn server – this happens for many/all of the IP addresses behind the GW, _except_ the client (as represented in the picture)

b. the GW acts also as a masquerading nat box, translating all ip addresses behind it to its public ip address (IP3 in the picture)

c. the client is supposed to establish remote-access ipsec connections to the vpn server

* problem: c. does not happen if a. is taking place: if the s2s tunnel establishing is active between IP3 and IP4, then the remote-access connection between client and server is not established

Now: how can we help this guy?

1. My initial idea was to dismiss his dilemma and ask him to configure proper traffic selectors. Unfortunately, this is not working for him, as the GW does masquerading, and according to the very nice Kernel netfilter arch, all packets look the same for the ipsec engine

2. To double-check, I’ve been looking for the netfilter picture.

http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html

http://www.docum.org/docum.org/kptd/ (thank you, tyrant! )

So I was thinking that maybe he could put some more specific rules into the forwarding chain, and overcome the masquerading issue? Our goal is to trick the IKE/IPsec packets coming from the client in _not_ reaching the GW’s ipsec engine.

Any other ideas?

Later edit:

Just got the feedback from the guy. It’s working. What he did in order to overtake this interesting situation was to add bypass rules on the GW machine, in order to convince this machine to automatically forward the packets from client to vpn server, immediately after natting them, without passing them through the ipsec engine

ip xfrm policy add dir out src 0.0.0.0/0 dst 0.0.0.0/0 proto udp dport 500 priority <some low number>

The solution looks/is very very simple, but to get here I still had to query an old friend (remember vmp? ) and do some digging into netfilter :) It paid off

One more happy “ipsec friend” Iuha!

Tags: passion, techie

1. I hate when people spend lots of money for nice software with proper support and shit, and using this wonderful software you cannot create basic stuff that otherwise any 5-year old can create on open-source solutions. Not to mention: super slow answer time from the aforementioned customer support. Gosh, how I miss the firefox or pidgin forums response times!

2. Nice WhitePaper on BIP (Bearer Independent Protocol), from the nice people from Giesecke & Devrient:

http://www.mobile-ecosystem.org/wp-content/uploads/downloads/2010/02/BIP_Whitepaper_final.pdf

3. Nice White Paper on Silent SMS DoS, from the nice people from ICSA:

http://mo.co.za/open/silentdos.pdf

PS: Gotta thank dh1jc…

Tags: passion, techie

Dupa cum se vede, tiranul a repus bloggy pe piciorushe

And I am back to my sweet old addictions: rock’n'roll, movies and so on. Thank you, tyrant!

Cel mai recent am descoperit o inregistrare de studio al lui Jonathan Davis, pentru o parte din piesele de pe coloana sonora de la Queen of the Damned. Mda, vocea omului astuia nu mai are nevoie de nicio prezentare. Tin minte ca am recunoscut-o in film, de la primele silabe…”asta parca e Jonathan Davis. El tre sa fie!” Evident, el era

Forsaken

http://www.youtube.com/watch?v=et8CczkuiSU&feature=relmfu

Enjoy

Tags: music, passion

Am iesit cu colegii la karting in Haga. Evident, ca la mai toate alte sporturile, eu ies pe ultimul loc Nu prea e cale de concurat cu oamenii astia. Cu toate astea, m-am distrat grozav. Apoi am iesit “la bere” si nu am putut pierde ocazia sa ma pozez langa un Nespresso Store. Poze mai jos:

[Show as slideshow]

12►

Tags: fun, travel

Today I realized I am a true Junkie. Unfortunately, though my drugs are not very expensive, they are Extremely hard to get.

I am constantly looking for that “feeling”. And I’ve only got _that_ feeling a couple of times: reading “Ender’s Game”, “Old Man’s War” and “Dune”. And not even all of the books in the series.

Please help me get high again. Recommend for me things as exciting as these ones. And I’ll be forever grateful.

signing: ze junkie

Tags: passion

Si un cadou pt. voi (si da, si pentru mine )

http://www.youtube.com/watch?v=qkCYzwr7Yxs&list=PL10A0E033226AE9E6&feature=mh_lolz

Enjoy!

one of the best wishes (thanks, Alex): Laaa muuuuuulti ani! Ai o zi de nastere strategica, intre 1 si 8 martie:) Iti urez o primavara calduroasa si insorita, cam cum e pe aici:) cred ca la tine ar merge f bine un tort in forma de rack cu server si cu lumanari in mufele de retea:)

Tags: aiurea

Mi-am facut abonament la Sport City Leiden. E genial! 50 eur pe luna, abonament full time, la toate locatiile Sport City din Olanda, oricand, la orice program. Asta e la 5 minute de mers de unde stau eu, are o receptie imensa, cu sucuri si cafea, loc de joaca pentru copii, si 5 sali de squash. 3 etaje cu sali de fitness, aerobic si cycling. Ieri si azi am fost la cycling.

1. Da, stiu: azi nu a fost rau, dar maine probabil nu voi putea sa merg

2. Din pacate pentru moralul meu, oamenii aia de la gym arata bestial – asta la cei 50-60 de ani ai multora dintre ei. Cat despre instructor: aia de la World Class erau gluma. Din pacate orele sunt in olandeza si sa crap si tot nu pricep ce tzipa nenea ala acolo in microfonul lui wireless. Azi cred ca aveam o figura foarte disperata (explicabila in mod decent de lipsa de oxigen din creierul meu si de faptul ca respectiva sala se cam invartea cu mine, eu fiind gata sa lesin), ca bietul om m-a intrebat daca sunt bine. Nu s-a ingrijorat de soarta femeilor de 60 de ani, ci de soarta mea. Concluzia: worst day ever!

Noroc cu sauna de dupa. Program prelungit, ca sa nu mai ies in vestiarul plin de tanti super fit la 60 de ani.

Si apoi m-am incuiat in casa numai si numai sa nu ies sa cumpar ciocolata pt. depresie.

Macar la partea de climbing a binevoit sa puna Enter Sandman. Care este cam singura piesa decenta auzita acolo. Ce e cu instructorii astia de fitness de pun numai piese nasoale la ore? Am pedalat cu mult mai mult spor cand l-am auzit pe nenea Hetfield si mi-a scazut considerabil entuziasmul cand a inceput muzica produsa pe calculator. Si puteam sa jur ca si nenea instructorul fredona piesa de la Metallica (sau doar ma amagesc ca nu eram singura persoana care dadea din pedale in ritm de “exit light, enter night!!”). Oare e acolo un sef ceva care ii obliga pe instructori sa puna muzica nasoala la antrenamente? hmm

Nota de subsol pt. cei care apreciaza: in Olanda oamenii folosesc bisericile cum se cuvine! A doua locatie Sport City din Leiden e in cladirea unei foste biserici Oameni practici, olandezii astia.

Tags: fitness, passion

http://www.youtube.com/watch?v=8S9qb8fcisM

Henkka Sepala – live and kicking. I missed the old “Blacksmith” from Hatebreeder.

Shovel Knockout, a doua piesa de pe Relentless Reckless Forever is my fav

Tags: music, passion

Great Wine Made Simple: Straight Talk from a Master Sommelier

by Andrea Immer Robinson

Tags: books, passion, wine