Tag Archives: Enterprise Linux

5 Minute CentOS/RHEL VPN

I’m looking at running two servers on EC2; as we all know the most important thing about running services in the cloud is encryption!

Whilst googling on how to setup a host-to-host IPSEC VPN I was surprised at how easy it is…

On Host1 (192.168.56.101)…

[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1
DST=192.168.56.102
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
[root@CentOS1 ~]#
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1
IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[root@CentOS1 ~]#
[root@CentOS1 ~]# ifup ipsec1

On host2 (192.168.56.102)…

[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1
DST=192.168.56.101
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
[root@CentOS2 ~]#
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1
IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[root@CentOS2 ~]#
[root@CentOS2 ~]#ifup ipsec1

… done!!!

[root@CentOS1 ~]# tcpdump -n -i eth1 host 192.168.56.102
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:46:37.306292 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x203): ESP(spi=0x00a0a3cc,seq=0x203), length 84
09:46:37.310197 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x203): ESP(spi=0x098f0ff9,seq=0x203), length 68
09:46:38.175048 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x204): ESP(spi=0x00a0a3cc,seq=0x204), length 84
09:46:38.179017 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x204): ESP(spi=0x098f0ff9,seq=0x204), length 68
09:46:39.313583 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x205): ESP(spi=0x00a0a3cc,seq=0x205), length 84
09:46:39.316427 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x205): ESP(spi=0x098f0ff9,seq=0x205), length 68

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS1 ~]#

Now this is a simple IKE pre-shared key vpn, you might want to google for using certificates for stronger authentication, you can also edit /etc/racoon/racoon.conf to change your IPSEC parameters.

Reference: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html

UPDATE: To make this work in EC2, you need to enable NAT-T see my hack here!

Intel 3945ABG Wireless / WiFi Card on CentOS 5

I’ve taken to using CentOS on my servers, and fedora on my Laptop. New job, means new laptop, and to avoid fedora update hell, I thought I’d try CentOS on my laptop.

All seems good other than my wifi card not being detected, and for some reason googling for “centos 5 intel 3945” didn’t provide a working anserwer, actually I found the answer by googling for “supplementary disk centos 5” which finds this thread that says…

Install dag’s repo (this rpm), and then install dkms-ipw3945 (yum will pick up the dependancies)

yum install dkms-ipw3945

Next enable network manager…

chkconfig --level 345 NetworkManager on
chkconfig --level 345 NetworkManagerDispatcher on

reboot (seriously) and when you next log in you’ll get a little icon in you system tray where you can manage your WiFi :)

How to Migrate from White Box Linux 4 to CentOS 4.4

There are somethings that you just never get round to, my nagios box was still running whitebox linux, and I’ve finally gotten round “upgrading” it to CentOS… yeah ok, upgrade is arguable, but you get my point.

First off a warning: Don’t do this ! All the documentation, for CentOS, RHEL, Fedora, any redhat linux all say, clean installs are the best way, and upgrades are not advised…. therefore I offer no support or warranty that this will work, in fact, I you advise you to read this post, but step away from your consoles !

But, if you think it might be a laugh, the centos documentation is a bit old, and not 100% correct, so here is what I did. First up (as root – obviously), clear out your yum cache,and install the CentOS gpg key.

yum clean all
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4

Next, install some base centos packages, take not that some need to be forced on

rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/centos-release-4-4.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-elementtree-1.2.6-4.2.1.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-sqlite-1.1.7-1.2.i386.rpm
rpm -ivh http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/sqlite-3.3.3-1.2.i386.rpm
rpm -Uvh --force http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/python-urlgrabber-2.9.8-2.noarch.rpm
rpm -Uvh --nodeps http://mirror.centos.org/centos/4.4/os/i386/CentOS/RPMS/yum-2.4.3-1.c4.noarch.rpm

finally remove the whitebox rpm db.

rpm -ev rpmdb-whitebox

Move any “whitebox” mirrors still in /etc/yum.repos.d and

yum install rpmdb-CentOS

Once you have that sorted, you can complete the upgrade with

yum update
reboot

& cross your fingers ;)
If you come across the following warnings while using yum: Warning, could not load sqlite, falling back to pickle , I found…

yum install python-sqlite

Fixed the problem. And there we have it, all my boxes are now running CentOS – yay – just in time to look at the CentOS 5 upgrade ;)

Dependency Problems ?
If a whitebox rpm is newer than the CentOS one, it won’t get upgraded, this might cause problems when installing new packages via yum. To solve the problem download the rpm manually from http://www.centos.org/modules/tinycontent/index.php?id=13 and force an upgrade

rpm --force -Uvh Something-CentOS.rpm

UPDATE: If you’re using something like Root Kit Hunter, you will notice a load of md5 hashes fail, these are whitebox rpm’s that didn’t need upgrading, to correct the problem you need to replace these with CentOS versions.. example rkhunter output:

/sbin/init  [ BAD ]

Find which rpm, init belongs to

# rpm -q --whatprovides /sbin/init
SysVinit-2.85-34.3

and upgrade it

wget http://www.mirrorservice.org/sites/mirror.centos.org/4.4/os/i386/CentOS/RPMS/SysVinit-2.85-34.3.i386.rpm
rpm --force -Uvh SysVinit-2.85-34.3.i386.rpm