http://hellewell.homeip.net/phillip/blogs/index.php Copyright 2009, Phillip Hellewell Phillip Hellewell en-US SPHPBLOG 0.4.7.1 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry090517-103342
Finally, I discovered that my Eee PC runs something called fastinit on startup, not regular init (how do you think it boots so fast?). Fastinit doesn't pay attention to what's in the rc?.d dirs. To get autofs to run on startup the solution is to add autofs to the /ets/fastservices file. I wish I had understood that sooner.]]> Linux, Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry090517-103342 Phillip Hellewell Sun, 17 May 2009 16:33:42 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=09&m=05&entry=entry090517-103342 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry090513-225357
The main problem was Debian kept adding an extra /dev/md0 to the mdadm.conf. The extra entry had the wrong UUID. During the install process I had fixed mdadm.conf, but had not realized that the initrd also contained an mdadm.conf (with the extra entry). This caused no end of grief because after each reboot it would show only 1 out of 4 components working [U___] and e2fsck would fail. It was trying to add a whole disk (sdd) instead of the partitions (sda3,sdb3,sdc3,sdd4).

Running update-initramfs fixed the problem nicely. I wish I had known about that sooner.]]> Linux http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry090513-225357 Phillip Hellewell Thu, 14 May 2009 04:53:57 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=09&m=05&entry=entry090513-225357 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry080509-170319
Here are my arguments:

1. Forcing all traffic through the VPN doesn't provide a lot more security because:
a. Traffic is encrypted from the user to the other end of the VPN, but not from there to the final destination.
b. Traffic destined for external networks probably do not need to be secured anyways.
c. The VPN client can usually be turned on and off at any time.
d. When "local lan" is enabled, the computer connected to the vpn is still susceptible to attack from the public non-secured network by tunneling through another computer on the LAN first.

2. Forcing all traffic through the VPN causes all of the following problems:
a. Traffic between a user and external computers can be slowed down considerably.
b. Traffic for others inside the secured network is slowed down by a VPN user needlessly.
c. Certain protocols may be broken.
d. Network applications get disconnected during VPN connection and must re-connect.
e. Privacy. Personal traffic like emailing your spouse should not be forced to travel through your work network.

Disabling split tunneling may be ok for road-warriors, but for employees who work from home and need to constantly access both work resources and the Internet, it can be very annoying.
]]> Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry080509-170319 Phillip Hellewell Fri, 09 May 2008 23:03:19 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=08&m=05&entry=entry080509-170319 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry080307-102448
1. Class has virtual DTOR.
2. Class is inside another class.
3. Class is built into a static library.
4. PCH is on.

Removing any one of those conditions would solve the problem. I chose #2, by moving my class to namespace level.
]]> Programming http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry080307-102448 Phillip Hellewell Fri, 07 Mar 2008 17:24:48 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=08&m=03&entry=entry080307-102448 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070727-152424 blogs.msdn.com

In short, you can create a service that will launch cmd.exe as the local system user, by running this:

sc.exe create testsvc binpath= "cmd /K start" type= own type= interact]]> http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070727-152424 Phillip Hellewell Fri, 27 Jul 2007 21:24:24 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=07&m=07&entry=entry070727-152424 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070623-160740
Everything was working great, except I could only connect to computers on one subnet at a time. If I connected to a computer on the other subnet, the first subnet would stop working, and I would have to restart racoon to make it work again (actually I just had to reset my SAD entries, with setkey -F, and let it re-associate).

To make a long story short, the problem was that Fortinet cannot handle multiple tunnels like that. If you establish a second tunnel, it uses the keys negotiated in that tunnel from then on. It doesn't use the first tunnel. This post explains it a little better.

Well I never wanted two tunnels in the first place. I only want one tunnel even though there are multiple subnets on the remote side. To fix it, I simply had to use require instead of unique on my SPD entries!

I'm using Debian's racoon-tool to create my spd entries (and racoon.conf). With racoon-tool, you simply have to add the level: require option to each of your connections in your racoon-tool.conf.

---

BTW, my tunnel looks like this:
a.b.c.d/32 => a.b.c.d => x.y.z.w => 192.168.0.0/21

not like this:
192.168.8.0/24 => a.b.c.d => x.y.z.w => 192.168.0.0/21

Since my Linux server performs NAT (MASQUERADE) in iptables, I only need the tunnel to go to my server, not to my whole LAN subnet. Somehow it is smart enough to do NAT and then encrypted on the way out, and decrypt then un-NAT on the way in, or something like that. BTW, it's so smart that even when I was having problems with two tunnels from my server, the computers inside my LAN could connect to both remote subnets with no problem! I believe this is due to a special MASQ table that can dynamically associate SPI values. This page explained it well for me.]]> Linux, Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070623-160740 Phillip Hellewell Sat, 23 Jun 2007 22:07:40 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=07&m=06&entry=entry070623-160740 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070515-081101
I don't have time to sit around and delete spam posts all day, so I'm going to have to disable comments, sorry.]]> Personal, Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070515-081101 Phillip Hellewell Tue, 15 May 2007 14:11:01 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=07&m=05&entry=entry070515-081101 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070509-141530
I tried editing the source lookup path to no avail.

The issue was Eclipse running under the java-gcj VM. I edited my /etc/eclipse/java_home file and placed /usr/lib/jvm/java-1.5.0-sun at the very top and restarted Eclipse. This time it ran under Sun's VM and the problem went away!
]]> Linux, Programming http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry070509-141530 Phillip Hellewell Wed, 09 May 2007 20:15:30 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=07&m=05&entry=entry070509-141530 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry061008-011308 Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry061008-011308 Phillip Hellewell Sun, 08 Oct 2006 07:13:08 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=06&m=10&entry=entry061008-011308 http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry061008-004600 Networking http://hellewell.homeip.net/phillip/blogs/index.php?entry=entry061008-004600 Phillip Hellewell Sun, 08 Oct 2006 06:46:00 GMT http://hellewell.homeip.net/phillip/blogs/comments.php?y=06&m=10&entry=entry061008-004600