gparent's questions

I want to connect two servers to eachother over the internet. For various reasons I cannot use IPSec for this.

I would like traffic to be transparently encrypted as if I was using IPSec transport mode. I have decided to use routing for this (but I'm open to better alternatives)

My tunnel is up on 10.255.255.0/30, A uses .1, B uses .2. Let's say server A is at 192.168.0.100 and server B 172.16.0.200.

While I could add a route to encrypt all traffic (using on A ip route add 172.16.0.200/32 dev tun0 via 10.255.255.2), doing so kills the tunnel because OpenVPN traffic is using the same remote IP to keep the tunnel up.

I need a way to route the actual OpenVPN tunnel through eth0 but otherwise use tun0 to carry all traffic between server A and B. I have ip_forward enabled on both servers and appropriate firewall rules to allow the traffic, but I am not sure where to start in iptables to accomplish this.

I am looking at a Cisco switch's log at work and am a bit confused by how verbose it can be at times.

For instance, we use automatic QoS here and I often see this when phones are plugged:

Mar 18 15:22:40: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.
Mar 18 15:22:41: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.
Mar 18 15:22:42: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.
Mar 18 15:22:43: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.
Mar 18 15:22:44: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.
Mar 18 15:22:45: %SWITCH_QOS_TB-5-TRUST_DEVICE_DETECTED: cisco-phone detected on port Fa1/0/9, port's configured trust state is now operational.

Why does it spam this message six times? This is on a WS-C3750V2-24-PS-S switch. If it makes a difference, there are 5 switches of the sort in one stack running IOS 12.2(55)SE3.

The port's configuration is as follows:

Current configuration : 655 bytes
!
interface FastEthernet1/0/9
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 710
 switchport port-security maximum 3
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection limit rate 100
 load-interval 30
 srr-queue bandwidth share 10 10 60 20
 priority-queue out 
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone 
 spanning-tree portfast
 spanning-tree bpduguard enable
 service-policy input AutoQoS-Police-CiscoPhone
 ip verify source
 ip dhcp snooping limit rate 100
end

With the latest versions of HAProxy, simply typing make does not work, returning the following message:

Due to too many reports of suboptimized setups, building without specifying the target is no longer supported. Please specify the target OS in the TARGET variable, in the following form:

make TARGET=xxx

Please choose the target among the following supported list :

linux2628, linux26, linux24, linux24e, linux22, solaris freebsd, openbsd, cygwin, custom, generic

Use "generic" if you don't want any optimization, "custom" if you want to precisely tweak every option, or choose the target which matches your OS the most in order to gain the maximum performance out of it. Please check the Makefile in case of doubts.

What is the difference between linux2628 and linux26 ? Can I use linux2628 even if I have a newer kernel version?

On ClusterA and B I have installed the "openswan" package on Debian Squeeze.

ClusterA ip is 172.16.0.107, B is 172.16.0.108

When they ping one another, it does not reach the destination.

/etc/ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        protostack=netkey
        oe=off

conn L2TP-PSK-CLUSTER
        type=transport
        left=172.16.0.107
        right=172.16.0.108
        auto=start
        ike=aes128-sha1-modp2048
        authby=secret
        compress=yes

/etc/ipsec.secrets:

172.16.0.107 172.16.0.108 : PSK "L2TPKEY"
172.16.0.108 172.16.0.107 : PSK "L2TPKEY"

Here is the result of ipsec verify on both machines:

root@cluster2:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-5-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
root@cluster2:~#

This is the end of the output of ipsec auto --status:

000 "cluster": 172.16.0.108<172.16.0.108>[+S=C]...172.16.0.107<172.16.0.107>[+S=C]; prospective erouted; eroute owner: #0
000 "cluster":     myip=unset; hisip=unset;
000 "cluster":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "cluster":   policy: PSK+ENCRYPT+COMPRESS+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "cluster":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "cluster":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #3: "cluster":500 STATE_QUICK_R0 (expecting QI1); EVENT_CRYPTO_FAILED in 298s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #2: "cluster":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 13s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: "cluster":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2991s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000

Interestingly enough, if I do ike-scan on the server here's what happens:

Doesn't seem to take my ike settings into account

root@cluster1:~# ike-scan -M 172.16.0.108
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.0.108    Main Mode Handshake returned
    HDR=(CKY-R=641bffa66ba717b6)
    SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
    VID=4f45517b4f7f6e657a7b4351
    VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9: 1 hosts scanned in 0.008 seconds (118.19 hosts/sec).  1 returned handshake; 0 returned notify
root@cluster1:~#

I can't tell what's going on here, this is pretty much the simplest config I can have according to the examples.

I am running a default configuration of Puppet on Debian Squeeze 6.0.4.

The server's FQDN is master.example.com. The client's FQDN is client.example.com.

I am able to contact the puppet master and send a CSR. I sign it using puppetca -sa but the client will still not connect.

The two machines have accurate date and time.

This is what appears in /var/log/syslog:

Apr  3 17:03:52 localhost puppet-agent[18653]: Reopening log files
Apr  3 17:03:52 localhost puppet-agent[18653]: Starting Puppet client version 2.6.2
Apr  3 17:03:53 localhost puppet-agent[18653]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Apr  3 17:03:53 localhost puppet-agent[18653]: Using cached catalog
Apr  3 17:03:53 localhost puppet-agent[18653]: Could not retrieve catalog; skipping run

Here is some interesting output:

OpenSSL client test:

client:~# openssl s_client -host master.example.com -port 8140 -cert /var/lib/puppet/ssl/certs/client.example.com.pem -key /var/lib/puppet/ssl/private_keys/client.example.com.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem
CONNECTED(00000003)
depth=1 /CN=Puppet CA: master.example.com
verify return:1
depth=0 /CN=master.example.com
verify error:num=7:certificate signature failure
verify return:1
depth=0 /CN=master.example.com
verify return:1
18509:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1102:SSL alert number 51
18509:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
client:~#

master's certificate:

root@master:/etc/puppet# openssl x509 -text -noout -in /etc/puppet/ssl/certs/master.example.com.pem
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Puppet CA: master.example.com
    Validity
        Not Before: Apr  2 20:01:28 2012 GMT
        Not After : Apr  2 20:01:28 2017 GMT
    Subject: CN=master.example.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
            Modulus (1024 bit):
                00:a9:c1:f9:4c:cd:0f:68:84:7b:f4:93:16:20:44:
                7a:2b:05:8e:57:31:05:8e:9c:c8:08:68:73:71:39:
                c1:86:6a:59:93:6e:53:aa:43:11:83:5b:2d:8c:7d:
                54:05:65:c1:e1:0e:94:4a:f0:86:58:c3:3d:4f:f3:
                7d:bd:8e:29:58:a6:36:f4:3e:b2:61:ec:53:b5:38:
                8e:84:ac:5f:a3:e3:8c:39:bd:cf:4f:3c:ff:a9:65:
                09:66:3c:ba:10:14:69:d5:07:57:06:28:02:37:be:
                03:82:fb:90:8b:7d:b3:a5:33:7b:9b:3a:42:51:12:
                b3:ac:dd:d5:58:69:a9:8a:ed
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:FALSE
        Netscape Comment:
            Puppet Ruby/OpenSSL Internal Certificate
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Subject Key Identifier:
            8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C
        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
    7b:2c:4f:c2:76:38:ab:03:7f:c6:54:d9:78:1d:ab:6c:45:ab:
    47:02:c7:fd:45:4e:ab:b5:b6:d9:a7:df:44:72:55:0c:a5:d0:
    86:58:14:ae:5f:6f:ea:87:4d:78:e4:39:4d:20:7e:3d:6d:e9:
    e2:5e:d7:c9:3c:27:43:a4:29:44:85:a1:63:df:2f:55:a9:6a:
    72:46:d8:fb:c7:cc:ca:43:e7:e1:2c:fe:55:2a:0d:17:76:d4:
    e5:49:8b:85:9f:fa:0e:f6:cc:e8:28:3e:8b:47:b0:e1:02:f0:
    3d:73:3e:99:65:3b:91:32:c5:ce:e4:86:21:b2:e0:b4:15:b5:
    22:63
root@master:/etc/puppet#

CA's certificate:

root@master:/etc/puppet# openssl x509 -text -noout -in /etc/puppet/ssl/certs/ca.pem
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Puppet CA: master.example.com
    Validity
        Not Before: Apr  2 20:01:05 2012 GMT
        Not After : Apr  2 20:01:05 2017 GMT
    Subject: CN=Puppet CA: master.example.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
            Modulus (1024 bit):
                00:b5:2c:3e:26:a3:ae:43:b8:ed:1e:ef:4d:a1:1e:
                82:77:78:c2:98:3f:e2:e0:05:57:f0:8d:80:09:36:
                62:be:6c:1a:21:43:59:1d:e9:b9:4d:e0:9c:fa:09:
                aa:12:a1:82:58:fc:47:31:ed:ad:ad:73:01:26:97:
                ef:d2:d6:41:6b:85:3b:af:70:00:b9:63:e9:1b:c3:
                ce:57:6d:95:0e:a6:d2:64:bd:1f:2c:1f:5c:26:8e:
                02:fd:d3:28:9e:e9:8f:bc:46:bb:dd:25:db:39:57:
                81:ed:e5:c8:1f:3d:ca:39:cf:e7:f3:63:75:f6:15:
                1f:d4:71:56:ed:84:50:fb:5d
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE
        Netscape Comment:
            Puppet Ruby/OpenSSL Internal Certificate
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Subject Key Identifier:
            8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C
Signature Algorithm: sha1WithRSAEncryption
    1d:cd:c6:65:32:42:a5:01:62:46:87:10:da:74:7e:8b:c8:c9:
    86:32:9e:c2:2e:c1:fd:00:79:f0:ef:d8:73:dd:7e:1b:1a:3f:
    cc:64:da:a3:38:ad:49:4e:c8:4d:e3:09:ba:bc:66:f2:6f:63:
    9a:48:19:2d:27:5b:1d:2a:69:bf:4f:f4:e0:67:5e:66:84:30:
    e5:85:f4:49:6e:d0:92:ae:66:77:50:cf:45:c0:29:b2:64:87:
    12:09:d3:10:4d:91:b6:f3:63:c4:26:b3:fa:94:2b:96:18:1f:
    9b:a9:53:74:de:9c:73:a4:3a:8d:bf:fa:9c:c0:42:9d:78:49:
    4d:70
root@master:/etc/puppet#

Client's certificate:

client:~# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client.example.com.pem
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 3 (0x3)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: CN=Puppet CA: master.example.com
    Validity
        Not Before: Apr  2 20:01:36 2012 GMT
        Not After : Apr  2 20:01:36 2017 GMT
    Subject: CN=client.example.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
            Modulus (1024 bit):
                00:ae:88:6d:9b:e3:b1:fc:47:07:d6:bf:ea:53:d1:
                14:14:9b:35:e6:70:43:e0:58:35:76:ac:c5:9d:86:
                02:fd:77:28:fc:93:34:65:9d:dd:0b:ea:21:14:4d:
                8a:95:2e:28:c9:a5:8d:a2:2c:0e:1c:a0:4c:fa:03:
                e5:aa:d3:97:98:05:59:3c:82:a9:7c:0e:e9:df:fd:
                48:81:dc:33:dc:88:e9:09:e4:19:d6:e4:7b:92:33:
                31:73:e4:f2:9c:42:75:b2:e1:9f:d9:49:8c:a7:eb:
                fa:7d:cb:62:22:90:1c:37:3a:40:95:a7:a0:3b:ad:
                8e:12:7c:6e:ad:04:94:ed:47
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:FALSE
        Netscape Comment:
            Puppet Ruby/OpenSSL Internal Certificate
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Subject Key Identifier:
            8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C
        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
    33:1f:ec:3c:91:5a:eb:c6:03:5f:a1:58:60:c3:41:ed:1f:fe:
    cb:b2:40:11:63:4d:ba:18:8a:8b:62:ba:ab:61:f5:a0:6c:0e:
    8a:20:56:7b:10:a1:f9:1d:51:49:af:70:3a:05:f9:27:4a:25:
    d4:e6:88:26:f7:26:e0:20:30:2a:20:1d:c4:d3:26:f1:99:cf:
    47:2e:73:90:bd:9c:88:bf:67:9e:dd:7c:0e:3a:86:6b:0b:8d:
    39:0f:db:66:c0:b6:20:c3:34:84:0e:d8:3b:fc:1c:a8:6c:6c:
    b1:19:76:65:e6:22:3c:bf:ff:1c:74:bb:62:a0:46:02:95:fa:
    83:41
client:~#

EDIT:

Someone suggested redoing the certificates. I have done this several times and it does not fix the issue.

I have a fairly simple puppet setup, one master and one node, both running Debian Squeeze 6.0.4. I have DNS entries for the two machines, client and master respectively. Both client and master's DNS entries resolve correctly on both machines to the right IPs.

On my client, I have this configuration:

[main]
server = master.example.org

logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
pluginsync=true
templatedir=/var/lib/puppet/templates

Key exchange seems to fail, according to this messages in /var/log/syslog:

localhost puppet-agent[11364]: Could not request certificate: getaddrinfo: Name or service not known

Why is resolution not working only for puppet?