Sam Hartman (hartmans) wrote,
Sam Hartman

New Router (including IPSec configuration)

Last spring I wrote about my IPsec configuration. At that time, I was using a laptop as a router. Since then I've purchased a Soekris Net 4801 as a router. In some ways it is a bit overkill: it has seven ethernet ports. I need two. It was really easy to configure though: I dropped a CF card in my laptop, ran debootstrap, installed some packages and copied over config files. I put the CF card on the board and booted. Of course I had managed to get something wrong (failed to create /dev/console) so I had to repeat once or twice, but that was all because I didn't understand aspects of the etch installer and I was cutting corners. I did run into trouble trying to configure grub to boot off a drive that would end up being the first bios drive but was not the first bios drive on the system where it was installed. One problem: the 2.2-based Openswan (including the one now in sarge) does
not work well. I'm using the openswan 2.3.0-2 previously in unstable and it works well enough.Here are my router configuration files. Let me know if I left anything out that is needed. The ipsec-nat script should be run after IPsec comes up. Most traffic goes through IPsec except for port 80, 443 and 22. There is also support for machines that are always NATed; I use that for Windows machines—particularly Windows machines that may generate a lot of game traffic. There are several improvements I'm considering. I'm considering dedicating an ethernet port to the wireless AP and bridging to that port. The bridge iptables support would allow me to have better control over what can be done on the wireless side. I would like to have better support for mobility of my laptop and maintaining the same address. I'm also considering adding a second tunnel to MIT.
Tags: hack

  • Making our Community Safe: the FSF and rms

    I felt disgust and horror when I learned yesterday that rms had returned to the FSF board. When rms resigned back in September of 2019, I was Debian…

  • Good Job Debian: Compatibility back to 1999

    So, I needed a container of Debian Slink (2.1), released back in 1999. I expected this was going to be a long and involved process. Things didn't…

  • Forged Email

    Last night, a series of forged emails was sent to a number of places around the Debian, Ubuntu and Free Software communities. The meat of the mail…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.