Master Controller/VPN

Latest revision as of 19:13, 27 April 2016

[edit] VPN

[edit] Install the VPN client

• sudo apt-get install vpnc

• sudo vi /etc/vpnc/default.conf

IPSec gateway vpn-hosted.esctl.co.uk
IPSec ID esctl-customername
IPSec secret *******
IKE Authmode psk
Xauth username x-esctl-vpn-customername
Xauth password *********

• sudo vi /etc/vpnc/vpnc-script
  • Change the first line from "#!/bin/sh" to "#!/bin/bash"
  • Change line (approx.) 55 to add /usr/bin to the PATH= line (Needed for 'basename' and 'expr')

[edit] Configure the keepalive script

• mkdir download
• cd download

Either:

• wget https://github.com/dcantrell/vpncwatch/archive/master.zip -O vpncwatch.zip
• unzip ../vpncwatch.zip
• cd vpncwatch-master

Or:

• git clone https://github.com/dcantrell/vpncwatch.git
• cd vpncwatch

and then:

• make
• sudo cp -p vpncwatch /usr/local/bin/

Create /etc/init.d/vpncwatch as follows:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          vpncwatch
# Required-Start:
# Required-Stop:
# Should-Start:      
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Checks vpnclient is still running
# Description:       Checks vpnclient is still running, and restarts it
#                    if not.
### END INIT INFO

PATH=/sbin:/bin:/usr/local/bin

. /lib/init/vars.sh
. /lib/lsb/init-functions

do_start () {
	[ "$VERBOSE" != no ] && log_action_begin_msg "Starting vpncwatch"
	/usr/local/bin/vpncwatch -c 10.249.1.1 /usr/sbin/vpnc
	ES=$?
	[ "$VERBOSE" != no ] && log_action_end_msg $ES
	exit $ES
}

case "$1" in
  start|"")
	do_start
	;;
  restart|reload|force-reload|status)
	echo "Error: argument '$1' not supported" >&2
	exit 3
	;;
  stop)
	/usr/bin/killall vpncwatch
	;;
  *)
	echo "Usage: vpncwatch [start|stop]" >&2
	exit 3
	;;
esac

:

• sudo chmod a+x /etc/init.d/vpncwatch
• sudo update-rc.d vpncwatch defaults

[edit] Cisco configuration

The following config snippet may be of use

username x-esctl-vpn-customername privilege 0 secret secretpassword

crypto isakmp client configuration group esctl-customername
 key evenmoresecretpassword
 domain hosted.esctl.co.uk
 pool esctl-customername
 acl esctl-vpn
 save-password
 netmask 255.255.255.254

crypto isakmp profile VPN-esctl-customername
   match identity group esctl-customername
   client authentication list AUTHEN_esctl
   isakmp authorization list AUTHOR_esctl
   client configuration address respond
   keepalive 20 retry 10

ip local pool esctl-customername 10.11.12.13

! for ease of admin, match '13' above to '113' below
crypto dynamic-map VPN-CRYPTOMAP 113
 set transform-set set2
 set isakmp-profile VPN-esctl-customername
 reverse-route

[edit] Other hosted configuration

rsync is already installed, but requires configuring with /etc/xinetd.d/rsync:

# default: on
service rsync
{
        disable         = no
        socket_type     = stream
        protocol        = tcp
        user            = root
        wait            = no
        server          = /usr/bin/rsync
        server_args     = --daemon
}

and /etc/rsyncd.conf:

read only = true
list = false

[backup]
        path = /
        uid = root
        gid = root
        hosts allow = 10.249.1.11

Also set RSYNC_ENABLE=inetd in /etc/default/rsync to suppress the warning that would otherwise be given.