-

Freenas: Plagued by name to sid deadlock errors?

Posted by aionman on Jul 9, 2015 in Linux, NAS, Networking

And here are the permissions as seen on Windows. I have Account Unknown, where probably I want it to recognize it as something like jnewsome (Unix User\jnewsome).  And the Freenas console shows something like

“STATUS=deamon on ‘winbindd’ finsihed starting up and ready to serve connectionssam_sids_to_names: possible deadlock – trying to lookup SID S-XXXXXX”

[​IMG]

Solution:

service samba_server stop
sqlite3 /data/freenas-v1.db ‘update services_cifs set cifs_SID=”S-1-5-21-1590911872-798304854-2854342261″‘
service ix-pre-samba start
service samba_server start

 

[root@freenas] ~# net groupmap list
users (S-1-5-21-1590911872-798304854-2854342261-1001) -> users
[root@freenas] ~# net groupmap delete sid=”S-1-5-21-1590911872-798304854-2854342261-1001″
Sucessfully removed S-1-5-21-1170145438-4009580803-3350505473-1001 from the mapping db
[root@freenas] ~# net groupmap add unixgroup=users rid=1001
Successfully added group users to the mapping db as a domain group​

And also try this

  1. fetch “http://download.freenas.org/errata/fixsid.py” -o /usr/local/bin/fixsid.py
  2. chmod 755 /usr/local/bin/fixsid.py
  3. mount -urw /
  4. hash -r
  5. fixsid.py
  6. Run the commands the script says to after completion or reboot

 
-

How to speed my too-slow ssh login?

Posted by aionman on May 31, 2013 in Linux, Networking

When I’m trying to ssh to a remote server, after I enter the username, it takes a lot of time before it displays the password prompt. Basically, my SSH ( openSSH ) is slow during authentication process. How do I solve this problem?’

$ ssh -v root@remote-host
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote-host [1.1.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/allen/.ssh/identity type -1
debug1: identity file /home/allen/.ssh/id_rsa type -1
debug1: identity file /home/allen/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received <-- OpenSSH hanging here for 1 min

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/root/.ssh/identity
debug1: Trying private key: /home/root/.ssh/id_rsa
debug1: Trying private key: /home/root/.ssh/id_dsa
debug1: Next authentication method: password

Solution: set UseDNS to no in sshd_config file

To fix this performance issue while connecting to a remote server using ssh, set the UseDNS to no as shown below in your /etc/ssh/sshd_config file.

$ vi /etc/ssh/sshd_config
UseDNS no

Restart the openssh and connect to the remote server again, which should be quick this time and will not hang at SSH2_MSG_SERVICE_ACCEPTED.

# service sshd restart

$ ssh -v root@remote-host

 
-

How to Change TeamViewer ID after cloning

Posted by aionman on Apr 27, 2013 in Networking

How to Change TeamViewer ID after cloning

These scripts fix imaged machines with a cloned TeamViewer ID.

TeamViewer ID Fix for Windows

Upon restarting, TeamViewer will assign a new ID. A new ID will not generate if TeamViewer was installed manually nor is it possible to change the ID to your liking. Running these scripts multiple times on a single machine will not continuously generate a new ID.
Instructions
  1. Download and run the script on the imaged machine. It is recommended to right click and run as administrator.
  2. The console window will update if the script was applied successfully. You will then be prompted to restart before changes take effect (the console window will automatically close).
Note: Running the script multiple times on a single machine will not continuously generate a new ID.
 

TeamViewer ID Fix 1.4 for MAC

Download TeamViewer 8 ID Fix for Mac

Supports TeamViewer 8 and all previous versions (Compatible with OS X 10.6 or higher)
This application automatically fixes TeamViewer IDs that have been cloned or for those that need to ensure the ID is unique.

Instructions

  1. Download and run the app on the appropriate machine.
  2. If successful, you will be prompted to restart in order for changes to take effect. Upon restarting, TeamViewer will assign a new ID if not already unique.

 

There are many tutorials on the internet that shows how to change a Teamviewer ID after cloning a VM but i found no instruction that shows me how to keep the ID on the original machine and change the ID on the new VM – without deleting any registry keys.

I got this Solution from the Teamviewer Support!

1. At the VM you want to keep the ID

  • navigate in the registry to:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\VersionX\

  • add a new D-WORD value (32 bit).

Name of the value: MIDForceUpdate
Value: 3 (hex/deci)

2. At the VM you want to change the ID

Only if Teamviewer was executed and/or installed follow these steps:

  • stop Teamviewer(!)
  • navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\VersionX

Delete the VersionX (e.g. Version7) folder.

  • restart the computer
  • start Teamviewer – now Teamviewer should renew the ID

 

What does MID Force Update do?

MIDForceUpdate tells the Teamviewer server that the machine XYZ has the ID XXX-XXX-XXX. This entry forces every other machine with the same ID to renew it.

 
-

Disable ipv6 on CentOS 6

Posted by aionman on Feb 28, 2013 in Linux, Networking

With several late CentOS 6.2 systems being built on the network I have been running into network disconnect and performance issues being caused by IPV6. Since I am currently not using it on my network I decided to disable it. Here is what I found from several different resources on the Internet.

We can modify /etc/sysctl.conf:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Disable in the running system:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

or

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

 
-

How To Stop Internet Browsing

Posted by aionman on Oct 5, 2012 in Networking, Windows XP

Log into the user account you want to restrict.
Go to “Internet Options” and click on the “Connections” tab. Click on the “LAN Settings” button and put a tick in the box next to “use a proxy server for your LAN”. Type into the “Address” box:
127.0.0.1
Click “OK” then “OK” again.
This will make the users account you need to restrict unable to access the internet.

You can use a Group Policy setting to remove the “connections” tab in “internet options” to prevent the settings being changed back.
Click “Start” > “Run” then type:
gpedit.msc
Click Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Disable the Connections page, and click Enabled, click Apply then OK.
This is easily reversable.
Test all apps to see if this applies the restrictions the way you want.
Let me know if this works alright for you.

 
-

Resolve Windows netbios names from Linux

Posted by aionman on Oct 4, 2012 in Linux, Networking, Windows XP

Platforms: 
any *nix distro

What You’ll Need:
Samba

In a heterogeneous LAN it is often useful to resolve network addresses by a computer’s name (ie. netbios name). This is especially true if the LAN does not have a DNS server so that host names can be used instead of IP addresses (which if dynamically assigned, could change often).

To enable Windows netbios name resolution from a Linux computer, make sure thatSamba is installed (although the smb service does not need to be running). The Samba suite includes winbind, which enables Windows host names to be resolved.

Then edit /etc/nsswitch.conf and change this line:

hosts:      files dns

to this:

hosts:      files dns wins

Then test by pinging the computer name of Windows machine on the LAN:

$ ping windowsbox
PING windowsbox (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=128 time=0.117 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=128 time=0.127 ms
64 bytes from 192.168.0.100: icmp_seq=3 ttl=128 time=0.127 ms
64 bytes from 192.168.0.100: icmp_seq=4 ttl=128 time=0.127 ms
64 bytes from 192.168.0.100: icmp_seq=5 ttl=128 time=0.128 ms

This setting really comes in handy when mounting a shared folder of a dynamically IP’ed Windows box from Linux. Instead of using the Windows’ box IP address, just specify it’s netbios name. Example entry in /etc/fstab:

//windowsbox/my_share/ /mnt/my_mount_point/ cifs rw,username=xxx,password=xxx,domain=xxx 0 0

 
-

Installation Notes Broadcom tg3 Linux Driver

Posted by aionman on Dec 1, 2010 in Linux, Networking

Installation Notes
Broadcom tg3 Linux Driver
Version 3.57b
04/28/2006

Broadcom Corporation
16215 Alton Parkway,
Irvine, CA 92619-7013

Copyright (c) 2004, 2005, 2006 Broadcom Corporation
All rights reserved

Table of Contents
=================

Introduction
Limitations
Packaging
Installing Source RPM Package
Building Driver From TAR File
Driver Settings
Driver Defaults
Unloading and Removing Driver
Driver Messages

Introduction
============

This file describes the tg3 Linux driver for the Broadcom NetXtreme
10/100/1000 Mbps PCI/PCI-X/PCI Express Ethernet Network Controllers.
The latest driver is in the latest 2.6 Linux kernel. It can also be
downloaded from http://www.broadcom.com as a source package, but is
generally not necessary to do so if you are using the latest 2.6
upstream kernel from http://www.kernel.org or one of the latest
vendor kernels from Red Hat, SuSE, or others.

The tg3 driver from the Broadcom package is almost identical to the
tg3 driver in the latest 2.6 upstream Linux kernel. It includes some
additional kernel compatible code to allow it to compile on older 2.6
and some 2.4 kernels. The version number is also similar but generally
has a one letter suffix at the end, (e.g. 3.55b) to distinguish it from
the in-kernel tg3 driver.

The next few sections on packaging, compiling, and installation apply
mostly to the Broadcom driver package only.

Limitations
===========

The current version of the driver has been tested on 2.4.x kernels starting
from 2.4.24 and all 2.6.x kernels. The driver may not compile on kernels
older than 2.4.24. Testing is concentrated on i386 and x86_64 architectures.
Only limited testing has been done on some other architectures such as
powerpc and sparc64.

Minor changes to some source files and Makefile may be needed on some
kernels.

Packaging
=========

To replace an older previously installed or in-kernel tg3 driver, follow
the instructions below.

The driver package from http://www.broadcom.com is released in two packaging
formats: source RPM and compressed tar formats. The file names for the two
packages are tg3-<version>.src.rpm and tg3-<version>.tar.gz respectively.
Identical source files to build the driver are included in both packages.

Installing Source RPM Package
=============================

The following are general guidelines for installing the driver.

1. Install the source RPM package:

rpm -ivh tg3-<version>.src.rpm

2. CD to the RPM path and build the binary driver for your kernel:

cd /usr/src/{redhat,OpenLinux,turbo,packages,rpm ..}

rpm -bb SPECS/tg3.spec

or

rpmbuild -bb SPECS/tg3.spec (for RPM version 4.x.x)

Note that the RPM path is different for different Linux distributions.

3. Install the newly built package (driver and man page):

rpm -ivh RPMS/<arch>/tg3-<version>.<arch>.rpm

<arch> is the architecture of the machine, e.g. i386:

rpm -ivh RPMS/i386/tg3-<version>.i386.rpm

Note that the –force option may be needed on some Linux distributions
if conflicts are reported.

The driver will be installed in the following path:

2.4.x kernels:

/lib/modules/<kernel_version>/kernel/drivers/net/tg3.o

2.6.x kernels:

/lib/modules/<kernel_version>/kernel/drivers/net/tg3.ko

4. Load the driver:

insmod tg3.o
or
insmod tg3.ko (on 2.6.x kernels)
or
modprobe tg3

5. To configure network protocol and address, refer to various Linux
documentations.

Building Driver From TAR File
=============================

The following are general guidelines for installing the driver.

1. Create a directory and extract the files:

tar xvzf tg3-<version>.tar.gz

2. Build the driver tg3.o (or tg3.ko) as a loadable module for the
running kernel:

cd src
make

3. Test the driver by loading it:

insmod tg3.o
or
insmod tg3.ko (on 2.6.x kernels)
or
insmod tg3

4. Install the driver:

make install

See RPM instructions above for the location of the installed driver.

5. To configure network protocol and address, refer to various Linux
documentations.

Driver Settings
===============

This and the rest of the sections below apply to both the in-kernel tg3
driver and the tg3 driver package from Broadcom.

Driver settings can be queried and changed using ethtool. The latest ethtool
can be downloaded from http://sourceforge.net/projects/gkernel if it is not
already installed. The following are some common examples on how to use
ethtool. See the ethtool man page for more information. ethtool settings do
not persist across reboot or module reload. The ethtool commands can be put
in a startup script such as /etc/rc.local to preserve the settings across a
reboot.

1. Show current speed, duplex, and link status:

ethtool eth0

2. Change speed, duplex, autoneg:

Example: 100Mbps half duplex, no autonegotiation:

ethtool -s eth0 speed 100 duplex half autoneg off

Example: Autonegotiation with full advertisement:

ethtool -s eth0 autoneg on

Example: Autonegotiation with 100Mbps full duplex advertisement only:

ethtool -s eth0 speed 100 duplex full autoneg on

3. Show flow control settings:

ethtool -a eth0

4. Change flow control settings:

Example: Turn off flow control

ethtool -A eth0 autoneg off rx off tx off

Example: Turn flow control autonegotiation on with tx and rx advertisement:

ethtool -A eth0 autoneg on rx on tx on

Note that this is only valid if speed is set to autonegotiation.

5. Show offload settings:

ethtool -k eth0

6. Change offload settings:

Example: Turn off TSO (TCP segmentation offload)

ethtool -K eth0 tso off

7. Get statistics:

ethtool -S eth0

8. Perform self-test:

ethtool -t eth0

Note that the interface (eth0) must be up to do all tests.

9. See ethtool man page for more options.

Driver Defaults
===============

Speed :                    Autonegotiation with all speeds advertised

Flow control :             Autonegotiation with rx and tx advertised

MTU :                      1500 (range 46 – 9000)

Some chips do not support jumbo MTUs bigger than
1500

Rx Ring Size :              200 (range 0 – 511)

Some chips are fixed at 64

Rx Jumbo Ring Size :        100 (range 0 – 255)

Not all chips support the jumbo ring, and some
chips that support jumbo frames do not use the
jumbo ring.

Tx Ring Size :              511 (range (MAX_SKB_FRAGS+1) – 511)

MAX_SKB_FRAGS varies on different kernels and
different architectures. On a 2.6 kernel for
x86, MAX_SKB_FRAGS is 18.

Coalesce rx usecs :          20 (range 0 – 1023)

Coalesce rx usecs irq :      20 (range 0 – 255)

Coalesce rx frames :          5 (range 0 – 1023)

Coalesce rx frames irq :      5 (range 0 – 255)

Coalesce tx usecs :          72 (range 0 – 1023)

Coalesce tx usecs irq :      20 (range 0 – 255)

Coalesce tx frames :         53 (range 0 – 1023)

Coalesce tx frames irq :     5 (range 0 – 255)

Coalesce stats usecs   : 1000000 (aprox. 1 sec.)

Some coalescing parameters are not used or have
different defaults on some chips

MSI :                      Enabled (if supported by the chip and passed
the interrupt test)

TSO :                      Enabled on newer chips that support TCP segmentation
offload in hardware.

Unloading and Removing Driver
=============================

To unload the driver, use ifconfig to bring down all eth# interfaces opened
by the driver, then do the following:

rmmod tg3

Note that on 2.6 kernels, it is not necessary to bring down the eth#
interfaces before unloading the driver module.

If the driver was installed using rpm, do the following to remove it:

rpm -e tg3

If the driver was installed using make install from the tar file, the driver
tg3.o (or tg3.ko) has to be manually deleted from the system. Refer
to the section “Installing Source RPM Package” for the location of the
installed driver.

Driver Messages
===============

The following are the most common sample messages that may be logged in the file
/var/log/messages. Use dmesg -n <level> to control the level at which messages
will appear on the console. Most systems are set to level 6 by default. To see
all messages, set the level higher.

Driver signon:
————-

tg3.c:v3.53c (Mar 13, 2006)

NIC detected:
————

eth0: Tigon3 [partno(BCM95704CA40) rev 2002 PHY(5704)] (PCI:66MHz:64-bit) 10/100/1000BaseT Ethernet 00:10:18:04:3e:64
eth0: RXcsums[1] LinkChgREG[0] MIirq[0] ASF[0] Split[0] WireSpeed[1] TSOcap[1]
eth0: dma_rwctrl[763f0000] dma_mask[64-bit]

Link up and speed indication:
—————————-

tg3: eth0: Link is up at 1000 Mbps, full duplex.
tg3: eth0: Flow control is on for TX and on for RX.

Link down indication:
——————–

tg3: eth0: Link is down.

 
-

How to setup dd-wrt on Buffalo WHR-g300n

Posted by aionman on Aug 29, 2009 in Networking

First Time Flashing instructions

Buffalo, unfortunately, encrypts their firmware, and their routers will accept only encrypted firmware in the web interface.

WHR-G300N is now only supported by dd-wrt V24-preSP2, created by BrainSlayer .

The first time you flash, the TFTP method can be used to bypass this ‘encrypted’ firmware requirement. Afterwards, the router firmware can be changed through the Web interface normally.

TFTP flashing

The latest DD-WRT build has a new, easy, and safe way to flash a WHR-G300N router. To do this, just Tftp_flash the firmware.tftp image to 192.168.11.1 in the 1st three seconds of booting when the router is in recovery mode.

The trick with this router is to wait for the blinking red light to stop and then start the tftp transfer. Be ready to press enter the very moment the red diag light stops blinking.
UPDATE:

There is a more convenient way to flash the firmware:

Every time the router boots it looks for a file called “firmware.ram” on a tftp server at 192.168.11.2. Now if you start a tftp server (e.g. TFTP32) and offer this file (simply rename firmware.tftp), the router fetches it automatically and flashes itself. This way you don’t have to try to hit enter at the right time and it’s fully automatic.

 
-

Setup SSL VPN

Posted by aionman on Jun 29, 2009 in Networking

網路基本架構圖

就算你的老闆出差到中國,也能透過SSL VPN 連回公司存取內部資料,甚至避開偉哉網路長城的封鎖,藉由香港的線路正常瀏覽新聞及相關網站。或許,有人會說為什麼不用PPTP VPN,我個人認為PPTP  其實沒有想像中方便,尤其對於一般使用來說,光找出連線設定恐怕就有一定的複雜度,更何況無法預期身處的網路環境是否允許PPTP 封包通過。

至於,啟用的設定方式也很簡單,記得三大原則:
● VPN 使用者及群組的設定
● 防火牆Policy 的設定
● 路由設定

當然,這次還是拿FG60B(FortiOS 3.0 MR7)當範例:

1) 到VPN -> SSL,啟用SSL VPN。參考上方的網路架構圖,設定Tunnel IP 範圍為「192.168.254.1 至 192.168.254.50」。

由於我假設的內部網路為網域環境,所以在進階設定的DNS及WINS Server,都指定AD主機的IP。實務上,如果公司同樣有網域環境,強烈建議設定成跟內部網路環境一樣,在網芳連線上也比較不會有問題。
啟用SSL VPN

2) 到User -> Local 新增使用者。
新增使用者

本範例為建立一個使用者「sslvpn」於本機上。記得..密碼要設定啊!
新增sslvpn的使用者

3) 到User Groups -> 新增群組。
新增群組

範例所建立的群組名稱為「SSLVPN_GP」,設定SSL VPN 的Tunnel IP 範圍與先前設定一樣,為「192.168.254.1 至 192.168.254.50」。注意!類型需選擇「SSL_VPN」,並且將已經建立好的帳號「sslvpn」選取至Members 裡。

至於其他選項的功能,有興趣的人可以翻原廠文件:SSL VPN User Guide 3.0 MR7
建立SSVPN_GP的群組及加入使用者

4) 到Firewall -> Policy ,新增相關Policy。依據最上方的網路架構及設想可能的用途,VPN 進來的用戶端及內部網路必須能互相溝通,而且VPN用戶端可透過該設備上網。所以必須增加下列Policy:

● Wan1 -> Internal。注意!「Action」的類型請務必選擇「SSL-VPN」,並且允許「SSLVPN_GP」群組可使用SSL VPN。

其實,這條Policy 就是攸關使用者能否透過https存取及登入的設定,沒有建立這條就啥都別談了。
建立Wan 1 到Internal 的SSL VPN 登入

● Internal -> ssl.root。「ssl.root」指的就是SSL VPN 的網路環境位置,故要讓內部網路能存取到VPN 用戶端的資源,則必須建立相關Policy。
建立內部到VPN 端的Policy

● ssl.root -> Internal。這…不用特別解釋了吧…
建立VPN 端到內部的Policy
建立VPN 端對外的Policy

● ssl.root -> Wan 1。這點要注意的是,因為SSL VPN 用戶端在撥入後,需要透過Fortigate上網,所以務必勾選「NAT」,不然你就在內部網路玩小圈圈就好了。

完成後,除了原本就有的「Internal -> wan 1」,一共增加了四條Policy。Policy 總覽

5) 到Router -> Static,新增一筆Static Route。由於SSL VPN  的Tunnel IP Range 範例設定為192.168.254.[1-50],所以我就直接設定「192.168.254.0/255.255.255.0」。注意!Device 類別請記得選「ssl.root」。

你高興的話也可以不要新增啦,只是連上去會發現不能互通而已。
新增路由

以上就算是完成所有設定。

接著進行測試,請先確認Fortigate 的外部IP及SSL VPN 的Login Port。
預設SSL VPN 登入埠為10443

然後輸入「https://外部ip:10443」,就能看到登入畫面了。請記得加上「https」跟「埠號」,否則到死都連不上。
SSL VPN 登入畫面

如果是初次登入,在登入後應該會跳出安裝ActivX 的要求。想連SSL VPN 的話,乖乖裝就對啦!
安裝ActiveX

連接成功就會出現像下面這兩張圖一樣的訊息。
連接fortissl成功
連接訊息頁面

很讚吧!用HTTPS 網頁登入的方式就能完成SSL VPN 連線,就代表你的電腦只要能上網,就能輕鬆連回公司內部。

對~~關掉那個頁面,VPN 也就跟著斷了… /=.=/

所以,我個人強力推薦到Fortinet 技術支援網站下載SSL VPN 撥接軟體。(限定已註冊用戶)
各版本的SSL VPN Clinet 軟體

撥接方式更為簡單,只要預設的SSL VPN Login Port 沒有更動(預設為10443), 輸入IP 後連埠號都無須輸入,再鍵入帳號密碼選「Connect」,就能連上SSL VPN 囉!
SSL VPN Clinet 撥接畫面

就算不小心點到「X」,也只會縮到右小角的工具列中。
縮到工具列囉

上面教的步驟真的是快速設定,所以Policy 的Source 及Destination Address 都是設定「all」,而且連防護的Protection Profile 都沒加上。

如果對Fortigate 有一定熟悉度的人,我還是建議認真把相關防護設定好,不然哪天被玩很大就麻煩了。

下一篇再來討論「如何切割VPN通道」,也就是VPN 用戶端除了進公司內部網路的流量走VPN 通道,其餘都還是走原本的對外線路。應該沒人希望哪天老闆到荷蘭出訪看紅燈區的櫥窗女郎,上Internet 查資料時還要透過半個地球外的Fortigate 吧!?

相關參考文件:
Fortinet Knowledge Center – SSL VPN User Guide簡體版

Tags: ,

 
-

Setup Fortigate Site to Site IPEC VPN

Posted by aionman on Jun 28, 2009 in Networking

快速設定Fortigate Site to Site IPEC VPN

網路基礎架構圖

先簡單說明網路測試環境,否則後續圖解一定會看到眼花:

Z1 Network – 192.168.123.0/24
Fortigate 60 設備(FortiOS v4.0.1 beta)
WAN IP: 123.123.123.123
Lan IP:192.168.123.254

Z2 Network – 192.168.1.0/24
Fortigate 60B 設備(FortiOS v3.0 MR7)
WAN IP: domain.dyndns.org(外部採PPPoE 無固定IP,故申請免費的dyndns.org 服務以達成兩端即時連線)
Lan IP:192.168.1.252

理所當然,我們先從Z1 區的FG60 下手設定:
1) 設定FG60 的IPSEC Key。到VPN -> IPSec,選擇「Create Phase 1」。

為方便未來清楚設定,建議參考下圖命名為「Z1toZ2_Tunnel,進階的部分用預設即可。但幾個地方要注意:
a. 由於Z2 區的Fortiagte 對外是使用浮動式IP,所以Remote Gateway 請選擇「Dymamic DNS」模式,「Dynamic DNS」欄位則輸入Z2 對外的DDNS 名稱。
b. 「Local Interface」是個很容易讓人誤會的設定,請選擇Fortigate 上對外連線VPN 的介面。因此範例是選擇「wan1」
c. 「Pre-shared Key」的密碼設定至少為三個字元以上。範例是設定「123456,到時候另一端的設備也需要設同一組密碼作溝通。

建立完「IPSEC Phase 1」,接著新增「Phase 2」

參考下圖將「Phase 2」命名為「Z1toZ2_phase2」,並記得選擇前面phase 1 所設定「Z1toZ2_Tunnel」;進階的部分用預設即可。(就說了是快速設定啊 /xd/

Z1 端IPSEC 的設定完成如圖。

2) 到Firewall -> Address 新增兩組IP 網段。
請參考下圖,分別新增Z1(192.168.123.0/255.255.255.0)及Z2(192.168.1.0/255.255.255.0)的IP。

3) 到Firewall -> Policy 新增Internal -> Wan1 的Policy。
由於是Z1 到Z2 的設定,Source Address 當然要選擇Z1 的IP Address,Destination Address 則選擇Z2 的IP Address。要比較注意的是,Action 設定請記得選擇「IPSEC」,而VPN Tunnel 則選擇先前建立的「Z1toZ2_Tunnel

如果建立Policy 後,順序跟下圖一樣是後於「all to all」,請將調整於其之前。

如果以上步驟都確實完成,那麼Z1 端就算收工了,等於做完一半啦!

鏡頭轉到Z2 的FG60B 設定。以下步驟其實跟Z1 的設定幾乎一樣。
1) 到VPN -> IPSEC 新增FG60B 的IPSEC Key。一樣要先新增Phase 1,命名為「Z2toZ1_Tunnel。而要注意的事項:
a. Z1 對外是使用固定IP,所以Remote Gateway 請選擇「Statics IP Address」模式「IP Address」欄位則輸入Z1 對外的IP「123.123.123.123」。
b. 「Local Interface」請選擇擇「wan1」介面
c. 「Pre-shared Key」的密碼必須跟Z1 端的IPSEC 設定一樣,所以請輸入「123456

新增Phase 2。不多講,看圖說故事。

完成Z2 端的IPSEC 設定。

2) 到Firewall -> address 新增兩組IP 網段。這部分跟Z1 端一樣。

3) 到Firewall -> Address 新增Internal -> Wan1 的Policy。
現在是Z2 到Z1 的設定,Source Address 請務必選擇Z2 的IP Address,Destination Address 則選擇Z1 的IP Address,不要搞混現在在哪裡設定啊。Action 設定別忘了選擇「IPSEC」,VPN Tunnel 則選擇「Z2toZ1_Tunnel

大功告成!

當然,照例要來個有圖有真相。從Z1 端的電腦直接Ping Z2 端的FG60B,會看到已經可以直接連接。不過,會發現第一次Ping 的時候似乎停頓1至1秒半的時間。

這是因為預設的IPEC VPN 不會主動建立連線,只有在Fortigate 發現內部有需要時才會開始連線(這算節能省碳嗎?),甚至在雙方達到一定時間且沒有流量時還會自動中斷VPN。

要解決這個問題,就是到IPSEC 的phase 2 設定找到進階選項,然後勾選「Autokey Keep Alive」。另外,從這裡可以發現「keylife」預設是30分鐘會換一次Key,如果又沒有勾選「Autokey Keep Alive」且沒有流量,設備就會因此停止VPN 連線。高興的話,也可以改一個小時甚至一天,就看你的安全考量;畢竟是透過Internet 傳輸IPSEC VPN,「keylife」時間越久就越有可能遭到有心駭客去破解。

認真研究起來,上面的設定其實不很難,難的是Fortinet 原廠提供的教學文件 – IPSec VPN User Guide 並沒有提供截圖,所以在閱讀上會有些困難。不過,一般企業會想到的應用幾乎都在文件裡出現,像是Redundant VPN、Hub and spoke 架構等等。如果資源夠的話,我會建議印出來閱讀,會比較容易從文件中抓出重點。

至於Site to Site IPSEC VPN 是否僅限定Fortigate 設備,其實不然!(假如連這都要綁標就太機車了…)原廠Knowledge Center 還提供了像是跟ZyXEL ZyWALLSonicWallCisco PIX 等大廠設備,甚至連Microsoft ISA Server 都有的連線文件(詳情可參考Fortinet Knowledge Center 的 IPSec VPN interoperability 頁面),有需要的人可以上網參考看看喔!

Tags: , ,

Copyright © 2017 IT Support Blog All rights reserved. Theme by Laptop Geek.