Master Controller/VPN

From ESCTL
< Master Controller(Difference between revisions)
Jump to: navigation, search
(Created page with "=== VPN === * cd download * wget https://github.com/dcantrell/vpncwatch/archive/master.zip -O vpncwatch.zip * mkdir vpncwatch * cd vpncwatch * unzip ../vpncwatch.zip * make (?...")
 
(Cisco configuration)
 
(8 intermediate revisions by one user not shown)
Line 1: Line 1:
 
=== VPN ===
 
=== VPN ===
 +
 +
==== Install the VPN client ====
 +
* sudo apt-get install vpnc
 +
 +
* sudo vi /etc/vpnc/default.conf
 +
<pre>
 +
IPSec gateway vpn-hosted.esctl.co.uk
 +
IPSec ID esctl-customername
 +
IPSec secret *******
 +
IKE Authmode psk
 +
Xauth username x-esctl-vpn-customername
 +
Xauth password *********
 +
</pre>
 +
 +
* sudo vi /etc/vpnc/vpnc-script
 +
** Change the first line from "#!/bin/sh" to "#!/bin/bash"
 +
** Change line (approx.) 55 to add /usr/bin to the PATH= line (Needed for 'basename' and 'expr')
 +
 +
 +
==== Configure the keepalive script ====
 +
* mkdir download
 
* cd download
 
* cd download
 +
 +
Either:
 
* wget https://github.com/dcantrell/vpncwatch/archive/master.zip -O vpncwatch.zip
 
* wget https://github.com/dcantrell/vpncwatch/archive/master.zip -O vpncwatch.zip
* mkdir vpncwatch
 
* cd vpncwatch
 
 
* unzip ../vpncwatch.zip
 
* unzip ../vpncwatch.zip
* make (???)
+
* cd vpncwatch-master
 +
Or:
 +
* git clone https://github.com/dcantrell/vpncwatch.git
 +
* cd vpncwatch
 +
and then:
 +
* make
 +
* sudo cp -p vpncwatch /usr/local/bin/
 +
 
 +
Create /etc/init.d/vpncwatch as follows:
 
<pre>
 
<pre>
cat > /etc/init.d/vpncwatch <<__EOF__
 
 
#! /bin/sh
 
#! /bin/sh
 
### BEGIN INIT INFO
 
### BEGIN INIT INFO
Line 28: Line 56:
 
do_start () {
 
do_start () {
 
[ "$VERBOSE" != no ] && log_action_begin_msg "Starting vpncwatch"
 
[ "$VERBOSE" != no ] && log_action_begin_msg "Starting vpncwatch"
/usr/local/bin/vpncwatch -c 10.249.1.1/usr/sbin/vpnc
+
/usr/local/bin/vpncwatch -c 10.249.1.1 /usr/sbin/vpnc
 
ES=$?
 
ES=$?
 
[ "$VERBOSE" != no ] && log_action_end_msg $ES
 
[ "$VERBOSE" != no ] && log_action_end_msg $ES
Line 52: Line 80:
  
 
:
 
:
__EOF__
 
 
</pre>
 
</pre>
* chmod a+x /etc/init.d/vpncwatch
+
* sudo chmod a+x /etc/init.d/vpncwatch
* update-rc.d vpncwatch defaults
+
* sudo update-rc.d vpncwatch defaults
  
* vi /etc/vpnc/default.conf
+
==== Cisco configuration ====
 +
 
 +
The following config snippet may be of use
 
<pre>
 
<pre>
IPSec gateway vpn-hosted.esctl.co.uk
+
username x-esctl-vpn-customername privilege 0 secret secretpassword
IPSec ID esctl-customername
+
 
IPSec secret *******
+
crypto isakmp client configuration group esctl-customername
IKE Authmode psk
+
key evenmoresecretpassword
Xauth username customername-vpn
+
domain hosted.esctl.co.uk
Xauth password *********
+
pool esctl-customername
 +
acl esctl-vpn
 +
save-password
 +
netmask 255.255.255.254
 +
 
 +
crypto isakmp profile VPN-esctl-customername
 +
  match identity group esctl-customername
 +
  client authentication list AUTHEN_esctl
 +
  isakmp authorization list AUTHOR_esctl
 +
  client configuration address respond
 +
  keepalive 20 retry 10
 +
 
 +
ip local pool esctl-customername 10.11.12.13
 +
 
 +
! for ease of admin, match '13' above to '113' below
 +
crypto dynamic-map VPN-CRYPTOMAP 113
 +
set transform-set set2
 +
set isakmp-profile VPN-esctl-customername
 +
reverse-route
 +
 
 
</pre>
 
</pre>
  
* vi /etc/vpnc/vpnc-script
+
=== Other hosted configuration ===
** Change the first line from "#!/bin/sh" to "#!/bin/bash"
+
rsync is already installed, but requires configuring with /etc/xinetd.d/rsync:
** Change line (approx.) 55 to add /usr/bin to the PATH= line (Needed for 'basename' and 'expr')
+
<pre>
 +
# default: on
 +
service rsync
 +
{
 +
        disable        = no
 +
        socket_type    = stream
 +
        protocol        = tcp
 +
        user            = root
 +
        wait            = no
 +
        server          = /usr/bin/rsync
 +
        server_args    = --daemon
 +
}
 +
</pre>
 +
 
 +
and /etc/rsyncd.conf:
 +
<pre>
 +
read only = true
 +
list = false
 +
 
 +
[backup]
 +
        path = /
 +
        uid = root
 +
        gid = root
 +
        hosts allow = 10.249.1.11
 +
</pre>
 +
 
 +
Also set RSYNC_ENABLE=inetd in /etc/default/rsync to suppress the warning that would otherwise be given.

Latest revision as of 18:13, 27 April 2016

Contents

[edit] VPN

[edit] Install the VPN client

  • sudo apt-get install vpnc
  • sudo vi /etc/vpnc/default.conf 
IPSec gateway vpn-hosted.esctl.co.uk
IPSec ID esctl-customername
IPSec secret *******
IKE Authmode psk
Xauth username x-esctl-vpn-customername
Xauth password *********
  • sudo vi /etc/vpnc/vpnc-script
    • Change the first line from "#!/bin/sh" to "#!/bin/bash"
    • Change line (approx.) 55 to add /usr/bin to the PATH= line (Needed for 'basename' and 'expr')


[edit] Configure the keepalive script

  • mkdir download
  • cd download

Either:

Or:

and then:

  • make
  • sudo cp -p vpncwatch /usr/local/bin/

Create /etc/init.d/vpncwatch as follows: 

#! /bin/sh
### BEGIN INIT INFO
# Provides:          vpncwatch
# Required-Start:
# Required-Stop:
# Should-Start:      
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Checks vpnclient is still running
# Description:       Checks vpnclient is still running, and restarts it
#                    if not.
### END INIT INFO

PATH=/sbin:/bin:/usr/local/bin

. /lib/init/vars.sh
. /lib/lsb/init-functions

do_start () {
	[ "$VERBOSE" != no ] && log_action_begin_msg "Starting vpncwatch"
	/usr/local/bin/vpncwatch -c 10.249.1.1 /usr/sbin/vpnc
	ES=$?
	[ "$VERBOSE" != no ] && log_action_end_msg $ES
	exit $ES
}

case "$1" in
  start|"")
	do_start
	;;
  restart|reload|force-reload|status)
	echo "Error: argument '$1' not supported" >&2
	exit 3
	;;
  stop)
	/usr/bin/killall vpncwatch
	;;
  *)
	echo "Usage: vpncwatch [start|stop]" >&2
	exit 3
	;;
esac

:
  • sudo chmod a+x /etc/init.d/vpncwatch
  • sudo update-rc.d vpncwatch defaults

[edit] Cisco configuration

The following config snippet may be of use 

username x-esctl-vpn-customername privilege 0 secret secretpassword

crypto isakmp client configuration group esctl-customername
 key evenmoresecretpassword
 domain hosted.esctl.co.uk
 pool esctl-customername
 acl esctl-vpn
 save-password
 netmask 255.255.255.254

crypto isakmp profile VPN-esctl-customername
   match identity group esctl-customername
   client authentication list AUTHEN_esctl
   isakmp authorization list AUTHOR_esctl
   client configuration address respond
   keepalive 20 retry 10

ip local pool esctl-customername 10.11.12.13

! for ease of admin, match '13' above to '113' below
crypto dynamic-map VPN-CRYPTOMAP 113
 set transform-set set2
 set isakmp-profile VPN-esctl-customername
 reverse-route

[edit] Other hosted configuration

rsync is already installed, but requires configuring with /etc/xinetd.d/rsync: 

# default: on
service rsync
{
        disable         = no
        socket_type     = stream
        protocol        = tcp
        user            = root
        wait            = no
        server          = /usr/bin/rsync
        server_args     = --daemon
}

and /etc/rsyncd.conf: 

read only = true
list = false

[backup]
        path = /
        uid = root
        gid = root
        hosts allow = 10.249.1.11

Also set RSYNC_ENABLE=inetd in /etc/default/rsync to suppress the warning that would otherwise be given.

Retrieved from ‘http://www.esctl.co.uk/index.php?title=Master_Controller/VPN&oldid=160
Personal tools
Namespaces

Variants
Actions
Navigation
Tools