I set up autofs to automount a Windows share, but it wouldn't work after a reboot because autofs was not running on startup! I couldn't understand why because I saw it linked to by a file in rc2.d/. I even tried calling it from /etc/rc.local but rc.local wasn't getting run on startup either!

Finally, I discovered that my Eee PC runs something called fastinit on startup, not regular init (how do you think it boots so fast?). Fastinit doesn't pay attention to what's in the rc?.d dirs. To get autofs to run on startup the solution is to add autofs to the /ets/fastservices file. I wish I had understood that sooner.

[ add comment ]   |  permalink  |   ( 3 / 41 )

---

I'm big on security, but not at the expense of usability and privacy. When it comes to VPN connections, I prefer split tunneling. Split tunneling means instead of forcing all traffic through the VPN, only traffic destined for the remote subnet goes through the VPN.

Here are my arguments:

1. Forcing all traffic through the VPN doesn't provide a lot more security because:
a. Traffic is encrypted from the user to the other end of the VPN, but not from there to the final destination.
b. Traffic destined for external networks probably do not need to be secured anyways.
c. The VPN client can usually be turned on and off at any time.
d. When "local lan" is enabled, the computer connected to the vpn is still susceptible to attack from the public non-secured network by tunneling through another computer on the LAN first.

2. Forcing all traffic through the VPN causes all of the following problems:
a. Traffic between a user and external computers can be slowed down considerably.
b. Traffic for others inside the secured network is slowed down by a VPN user needlessly.
c. Certain protocols may be broken.
d. Network applications get disconnected during VPN connection and must re-connect.
e. Privacy. Personal traffic like emailing your spouse should not be forced to travel through your work network.

Disabling split tunneling may be ok for road-warriors, but for employees who work from home and need to constantly access both work resources and the Internet, it can be very annoying.


[ add comment ]   |  permalink  |   ( 3 / 270 )

---

My workplace has a Fortinet IPSEC VPN, which I connect to from my Linux server. There are multiple subnets at work, like 192.168.0.0/21 and 10.2.2.0/24, and this was causing problems.

Everything was working great, except I could only connect to computers on one subnet at a time. If I connected to a computer on the other subnet, the first subnet would stop working, and I would have to restart racoon to make it work again (actually I just had to reset my SAD entries, with setkey -F, and let it re-associate).

To make a long story short, the problem was that Fortinet cannot handle multiple tunnels like that. If you establish a second tunnel, it uses the keys negotiated in that tunnel from then on. It doesn't use the first tunnel. This post explains it a little better.

Well I never wanted two tunnels in the first place. I only want one tunnel even though there are multiple subnets on the remote side. To fix it, I simply had to use require instead of unique on my SPD entries!

I'm using Debian's racoon-tool to create my spd entries (and racoon.conf). With racoon-tool, you simply have to add the level: require option to each of your connections in your racoon-tool.conf.

---

BTW, my tunnel looks like this:
a.b.c.d/32 => a.b.c.d => x.y.z.w => 192.168.0.0/21

not like this:
192.168.8.0/24 => a.b.c.d => x.y.z.w => 192.168.0.0/21

Since my Linux server performs NAT (MASQUERADE) in iptables, I only need the tunnel to go to my server, not to my whole LAN subnet. Somehow it is smart enough to do NAT and then encrypted on the way out, and decrypt then un-NAT on the way in, or something like that. BTW, it's so smart that even when I was having problems with two tunnels from my server, the computers inside my LAN could connect to both remote subnets with no problem! I believe this is due to a special MASQ table that can dynamically associate SPI values. This page explained it well for me.

[ add comment ]   |  permalink  |   ( 2.7 / 144 )

---

Spammers got me again, even with captchas in place.

I don't have time to sit around and delete spam posts all day, so I'm going to have to disable comments, sorry.

[ add comment ]   |  permalink  |   ( 2.9 / 117 )

---

I just had to apt-get install php4-gd. Now capcha are graphical and hopefully that will keep spammers away, for the most part.

[ add comment ] ( 6 views )   |  permalink  |   ( 2.9 / 165 )

---

Next

Links
Blog Home
Phillip Home
Contact Me
Stats

---

Login

---

Archives

«	May 2009					»
Sun	Mon	Tue	Wed	Thu	Fri	Sat
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31
11/23/2009

---

Archives
View Archives

---

Categories
Personal
Linux
Programming
Networking

---

Search:

 

---

Most Recent Comments
Cal
Friday, January 12, 2007, 07:41 PM
The Actiontec devices are faulty. They...

---

Most Recent Entries
Eee PC won't run my startup scripts
Linux Software RAID
VPN split tunneling
unresolved external Foo::`scalar deleting destructor`
Running CMD.EXE as Local System
Linux kernel 2.6 IPSEC: single tunnel for multiple remote networks
No more posting
Source not found in Eclipse 3.2.2 on Ubuntu Feisty Fawn
All fixed; capchas in place
Spammers got me, comments disabled

---

Copyright (c) 2006, Phillip Hellewell. Individual comments owned by whoever posted them. - Page Generated in 0.9883 seconds