30.07.2011

Linux VPN Client: disconnect every 600s (10min)

You are trying to connect to a Cisco Pix or Cisco ASA with a Linux PC and the connection disconnects after 10 minutes?
You tried
You found after googling around the following hints:
  • rekeying problem (not implemented for Linux)
  • missing open ports in your firewall (500 UDP, 4500 UDP, 10000 UDP)
  • write a automatic restart script
  • set MTU size on tun0 below 1300
  • disable dead pear detection (--dpd-idle 0)
    this is done via port 500
  • ...
None of this tips worked. And now?
Let's take a look at the debug messages from vpnc:
vpnc -no-detach --debug 2 profile0
after 10 minutes:
S7.2 QM_packet2 send_receive
S7.3 QM_packet2 validate type
vpnc: no response from target
Anything learned? The connection is dead again with no response from target...
Where are this response packets? Let's take a look at wireshark:


Hmmm
Dst Port 500...
Let's try the following:
vpnc --no-detach --debug 2 --dh dh5 gip2
and voila: no disconnects anymore...

Why?
Read this link:
The Diffie-Hellman Group 5 feature enables group 5
on all platforms that support crypto images. Group 5 specifies the
1536-bit Diffie-Hellman group, which is a method of establishing a
shared key over an insecure medium.

So my advise:
If your VPN disconnects after some minutes, try some of the cli-options of vpnc. Or ask your administrator, which Diffie-Hellman group is configured...

Here the cli-option (via vpnc --long-help)
Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]

Options:
--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>

--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>

(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>

(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>

--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>

(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>

(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>

--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>

--xauth-inter
enable interactive extended authentication (for challenge response auth)

--dpd-idle
conf-variable: Xauth interactive

--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>

--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>

--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>

--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>

--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

--enable-1des
enables weak single DES encryption
conf-variable: Enable Single DES

--enable-no-encryption
enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption

--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.3:Linux
conf-variable: Application version <ASCII string>

--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>

--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>

--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
conf-variable: Debug <0/1/2/3/99>

--no-detach
Don't detach from the console after login
conf-variable: No Detach

Report bugs to vpnc@unix-ag.uni-kl.de












28.07.2011

Google+: Huddle with your Browser - does not work...

After submitting some posts, let's take a look at other features:
If you read http://www.google.com/intl/en/+/learnmore/, you can find the following:



This sound nice, so let's try it.
But where is this icon:

Google's demo video shows huddle only on a smart phone. Does this only work with an app?
I was invited to a huddle:


If i click the > and then "join the conversation" i am directed to this page:


So i conclude: There is no huddle for webbrowsers...

26.07.2011

Google+: How to submit posts

After completing the registration process you have to add people to your circles. This can be done via drag and drop:


This is straigth forward. But how to write postings and submit them?
Google calls this "stream". You have to go back to your home:


Now add some text on the dialog in the middle:

and configure the circles to which this posting should be submitted. The four icons on the left are for adding a photo, video, link or your location. It is really nice, that you can configure, which circles get the postings.

24.07.2011

Joining Google+: the registration process

Here a short report about the new social network google+. Today i got a inviation and here the first steps into the circles...

First you have to do the registration:


Then google fills the first name and lastname from your google account and the foto, too:



The Privacy Policy can be found via this link. Here some important facts:
People in your circles (but not the name of the circle) will appear to others on your Google Profile, unless you choose not to display that information.

If you do not want us to store metadata (such as photo details) associated with your photos and videos, please remove that data before uploading the content.


We may display posts to which you’ve attached your location to users who seek to view Google+ posts "nearby" the location where you created your post. Those posts will be viewable only by those with whom the content has been shared.


Then one thing about your picasa albums:


This sounds ok, if your fotos are for everyone...

After that you can start with google+