Topics

1

Installation and Upgrades / Zentyal-to-Zentyal tunnel connecting 2 LAN's

« on: April 13, 2013, 11:55:52 pm »

I'm trying to run a Zentyal-to-Zentyal tunnel that will connect two different LAN's, where both Zentyal servers (v3.0 & v2.2) are acting as routers.  The tunnel is up and running, and the Zentyal servers can talk to each other just fine.  However, they do not route the LAN traffic across the tunnel.  The Zentyal server running v2.2 is at our data center, and hosting the VPN.  The v3.0 server is at a software development office, and runs a client.  I can only get it half-way working.

Server 1 (data center - Zentyal 2.2)
LAN IP: 192.168.1.1
VPN IP: 192.168.250.1
Advertised network: 192.168.1.0/24

Server 2 (dev office - Zentyal 3.0)
LAN IP: 192.168.2.1
VPN IP: 192.168.250.2

I've added the code to the firewall.postservice hook on each of the services.

Code: [Select]

iptables -t nat -A POSTROUTING -o <vpn-interface> -j MASQUERADE
The 192.168.1.x network can ping anything on the 192.168.2.x network, including Server 2's ip address for another VPN (192.168.122.1).  Server 2 can ping anything on the 192.168.1.x network.  Anything on the 192.168.2.x network can ping 192.168.250.1, but not the 192.168.1.x network.  If I disable the rule on Server 1 and reboot the server, then computers on 192.168.2.x can ping servers on the 192.168.1.x network, but it obviously disables the 192.168.1.x network pinging servers on the 192.168.2.x network, except I think Server 1 itself can ping 192.168.2.x.  Just deleting the rule or restarting the firewall doesn't seem to work.  I think restarting the VPN on Server 1 might fix it, once the rule is removed, but I don't remember.  I'd like to get this sorted out so I can sync a demo and development database.

*updated Server information*

2

Installation and Upgrades / CA Certificate still 1024-bit?

« on: April 03, 2013, 12:54:56 am »

Am I looking at (or doing) something wrong, or is the CA Certificate still 1024-bit in Zentyal 3.0?

I posted something about this being a security issue with version 2.2, and was told the size was being increased with the next version.  I patched the CA.pm file (/usr/share/perl5/EBox/CA.pm) with a single line of code (between 2070 and 2071), and it's now generating all rsa-4096 certificates (until the file reverts).  If it really is still 1024-bit, It would be nice if some fix would make it into the official code and get rolled out with the next update of the web-ui.

I forget how to generate an actual patch.  This should be close enough for a human, but if someone wants it, I'll do the work for a real patch file.

Code: [Select]

         $cmd .= qq{-keyout '$args{privKey}' };
+        $cmd .= ' -newkey rsa:4096 ';
         if (defined($args{keyPassword})) {


3

Installation and Upgrades / Help Configuring IPsec

« on: November 20, 2012, 01:55:12 am »

I have a production server running Zentyal 2.2 (server #1) in our data center, and a development system running Zentyal 3.0 (server #2) at home, both of them acting as routers connected to the Internet.  I'm trying to connect the two LAN segments with IPsec, but I can't get the two to properly connect.  I can't find a good Zentyal IPsec tutorial anywhere, so I've changed my IP addresses into something that would hopefully make a good tutorial (and show up on Google searches for years).

Server #1

Code: [Select]

    Public IP: 1.1.1.1
    LAN Subnet: 10.1.1.0/24
    Lan IP: 10.1.1.1
Server #2

Code: [Select]

    Public IP: 2.2.2.2
    LAN Subnet: 10.2.2.0/26
    Lan IP: 10.2.2.1
Here is my current, broken configuration.  If this configuration looks a bit odd (or impossible), I've tried so many variations that at one point I actually disabled some of the form checking built into Zentyal 3.0, and no longer remember what I've done.

Server #1 General Configuration

Code: [Select]

    Local IP Address: 1.1.1.1
    Local Subnet 10.1.1.0/24
    Remote IP Address: 2.2.2.2
    Remote Subnet: 10.2.2.0/26
    PSK Shared Secret: mypassword
Server #2 General Configuration

Code: [Select]

    Local IP Address: 2.2.2.2
    Local Subnet 10.2.2.0/26
    Remote IP Address: 1.1.1.1
    Remote Subnet: 10.1.1.0/24
    PSK Shared Secret: mypassword
Server #1 & #2 Authentication Configuration (identical)

Code: [Select]

Phase 1
    IKE Encryption: AES-256
    IKE Authentication: SHA-1
    IKE Keylife: 28800

Phase 2
    ESP Encryption: AES-256
    ESP Authentication: SHA-1
    ESP DH Group: 14
    ESP Keylife: 3600
    Enable PFS: checked
Last log entry for VPN on Server #1:

Code: [Select]

#6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xc343bce8 <0x169a9575 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Last log entries for VPN on Server #2:

Code: [Select]

#2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x169a9575 <0xc343bce8 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
#1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x1bcd7f84) not found (maybe expired)
#1: received and ignored informational message
I'm not sure what is wrong.  Any advice?  I don't want to switch to using 15 different OpenVPN connections, mostly inside of overcrowded virtual machines, but at least I can make that work.  IPsec looks like it should be fairly simple to configure, but this is my second failed attempt.  Would the fact that I'm running DHCP on my WAN interface for Server #2 be a problem?  It only changes every few months or longer, and I won't mind updating the config.

4

Installation and Upgrades / Custom OpenVPN Configuration

« on: March 23, 2012, 04:52:42 am »

I'm trying to add some custom lines of configuration and a couple of line edits to my OpenVPN configuration file on the server, but every time I restart the OpenVPN service ("/etc/init.d/zentyal openvpn restart" or system reboot), it overwrites my custom configuration.  I could go through the code, and after a lot of reading and searching, disable the code that is overwriting my configuration.  However, those changes are likely to be undone by a system update, leaving me where I was before, except with second level of changes being overwritten less often.  Overwriting config files seems to be terribly wrong behavior for a service restart, especially if the permissions on the file are "-r--------".

Is there any way I can fix this problem of zentyal breaking my configuration?  I thought I once saw an option that I turned off for zentyal overwriting config files, but I can't find it anymore.   Should I just be spending forever rolling my own services from Ubuntu Server?  I like zentyal except for a few places where I'm not given enough options (e.g. setting the numeric uid or gid requires LDAP separate software), the security currently being a little weak, and the interface is kinda slow (but faster than looking up howtos for everything).

5

Installation and Upgrades / Reset LDAP database

« on: December 20, 2011, 07:05:57 am »

Is there any way to reset the LDAP database?  I have moved the server from a development site to put it into production.  I would just edit everything, but the base DN isn't correct for the new location.  I've tried correcting the root DN by using JXplorer to export everything to an LDIF file that has a new root DN, but I get an error when importing.

There isn't much worthwhile stored in the LDAP database, so I figured resetting it would be the easiest and cleanest thing to do, if I can find out how.  Removing and re-installing the module doesn't affect the LDAP database.  If I go in with an LDAP browser like JXplorer or Apache Directory Studio and delete everything, will that trigger zentyal to rebuild the default database?  Will that also fix the files under /etc/ that store the old base DN?

6

Installation and Upgrades / Longer Certificate Keys than RSA-1024?

« on: November 23, 2011, 01:23:38 am »

I'm trying to set up a VPN on my new zentyal system, but I don't see how to generate keys longer than RSA-1024.  I'm not sure why the default is this low either.  People are already finding ways to crack RSA-1024 with theoretical custom hardware (pdf) or with actual exploits on hardware vulnerabilities.  I've seen recommendations to move to 2048 bit or more for at least a couple of years.

Can someone tell me how to generate 2048 or (preferably) 4096 bit keys, without dropping to a terminal window and doing something zentyal might not recognize?