IPSec Road Warrior Strongswan 5.8 IKEv2 swanctl Mikrotik RSA Auth

paranoids

Hi,
here my Strongswan road-warrior config using Archlinux

/etc/swanctl/conf.d/somename.conf

connections {	
	somename {
		local_addrs  = %any
		remote_addrs = gw.domain.tld
		vips = %any
		version = 2
		proposals = aes256-sha256-modp2048
		dpd_timeout=120s
		rekey_time=1d
      
		local {
			auth = pubkey
			certs = cert_export_work_crt.pem
			id = "work@gw.domain.tld"
		}
		remote {
			auth = pubkey
			id = "CN=gw.domain.tld"
		}
		children {
			somename {
				#start_action = start
				remote_ts = 192.168.223.0/24
				esp_proposals = aes256-sha256-modp2048
				dpd_action=start
				life_time=8h
			}
		}
	}
}

secrets {
	rsa-somename {
		file = cert_export_work_private.pem
	}
}

Save your private key to

/etc/swanctl/private/cert_export_work_private.pem

Save your certificate to

/etc/swanctl/x509/cert_export_work_crt.pem

Save your ca-certificate to

/etc/swanctl/x509ca/cert_export_ca.pem

Start and stop your vpn connection via

systemctl restart strongswan

swanctl --initiate --child somename

swanctl --terminate --child somename

Have fun!

install kimai2 into subdirectory serve via nginx and php-fpm

paranoids

Hi, here the config section of nginx

location /kimai2 {
     index index.php;
     alias /srv/http/kimai2/public;
     try_files $uri $uri/ @kimai2;
     location ~ .php$ {
         fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
         fastcgi_index index.php;
         include fastcgi.conf;
         fastcgi_param SCRIPT_FILENAME $request_filename;
     }
 }
 location @kimai2 {
     rewrite /kimai2/(.*)$ /kimai2/index.php?/$1 last;
 }
 location /build {
     alias /srv/http/kimai2/public/build;
 }

Have fun!

ubuntu 18.04 netplan source routing

paranoids

Hi

Here a source routing example if you have multiple networks connected on your linux host and want every ip address reachable on the internet.

network:
   version: 2
   renderer: networkd
   ethernets:
     ens3:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [81.94.xx.xx/28, "2a01:xxx:xxxx:xx::xx/64"]
       gateway4: 81.94.xx.xx
       gateway6: 2a01:xxx:xxxx:xx::x
       nameservers:
         addresses: [1.0.0.1]
     ens6:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [195.16.xxx.111/25]
       routes:
         - to: 195.16.xxx.x/25
           via: 195.16.xxx.gw
           table: 102
         - to: 0.0.0.0/0
           via: 195.16.xxx.gw
           table: 102
       routing-policy:
         - from: 195.16.xxx.111
           table: 102
         - to: 195.16.xxx.111
           table: 102

Have fun!

freeradius 3.0 ubuntu 18.04 with daloradius mikrotik ikev2 eap-radius wireless

paranoids

Hi

First of all setup your favorite php sql webserver 

apt install php-db php-gd git freeradius freeradius-mysql
cd /var/www/web001/htdocs 
git clone https://github.com/lirantal/daloradius.git

We have to import the freeradius 3.0 mysql schema first. Daloradius does only have freeradius 2.0 compatible sql schemas.

cat /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql | mysql -u radius -p radius

Now we import the daloradius sql schema without freeradius 2.0 sql schemas

cat /var/www/web001/htdocs/daloradius/contrib/db/mysql-daloradius.sql | mysql -u radius -p radius

here my freeradius mysql setup

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/sql

vim sql

driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "abcdefg"
radius_db = "radius"
read_clients = yes

here my changes to eap (eap for authenticating mikrotik wireless via wpa2 enterprise and mikrotik ikev2 eap radius)

vim /etc/freeradius/3.0/mods-enabled/eap

eap {
...
#ikev2 eap radius
default_eap_type = peap
...
}
tls-config tls-common {
private_key_file =  path_to_your_ssl_private_key
certificate_file = path_to_your_ssl_certificate
ca_file = path_to_your_ssl_cabundle
}

I use rapidssl server certificate.

https://support.microsoft.com/en-ph/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls

here my changes to the “default” site

cd /etc/freeradius/3.0/sites-enabled
vim default

authorize {
...
auth_log
...
sql
}

accounting {
...
sql
...
}

session {
...
sql
...
}

post-auth {
...
reply_log
sql
...
}

session {
...
sql
...
}

here my bulk radius settings

cd /etc/freeradius/3.0

vim radiusd.conf

log {
...
auth = yes
...
auth_badpass = yes
...
}
https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu

you have to create a systemd override for the freeradius unit. otherwise freeradius won’t start correctly if mysql is not running.

systemctl edit freeradius

[Unit]
After=network.target mysql.service

setup daloradius config

vim /var/www/web001/htdocs/daloradius/library/daloradius.conf.php

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

Have fun!

debian update i-mscp 1.0 to 1.5

paranoids

Hi

Upgrade i-mscp 1.0 to 1.1 Debian to jessie

cd /usr/local/src
wget https://github.com/i-MSCP/imscp/archive/1.1.21.tar.gz
tar -xzf 1.1.21.tar.gz
cd imscp-1.1.21

#use build
perl imscp-autoinstall -c -a -d -f

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

#i-mscp bug (error with external packages pma roundcube etc)
vim /var/www/imscp/engine/setup/imscp-setup-methods.pl
#[\&setupPreInstallAddons,           'Addons pre-installation'],
#[\&setupInstallAddons,              'Addons installation'],
#[\&setupPostInstallAddons,          'Addons post-installation'],

mkdir -p /var/www/imscp/gui/public/tools/filemanager/data
mkdir /var/www/imscp/gui/public/tools/pma
mkdir -p /var/www/imscp/gui/public/tools/webmail/logs

perl /var/www/imscp/engine/setup/imscp-setup -a -d

sed -i /etc/apt/sources.list -e s/wheezy/jessie/
apt-get update
apt-get dist-upgrade

Upgrade i-mscp 1.1 to 1.2 Upgrade Debian to stretch

cd /usr/local/src/
wget https://github.com/i-MSCP/imscp/archive/1.2.17.tar.gz
tar -xzf 1.2.17.tar.gz
cd imscp-1.2.17

#use build
perl imscp-autoinstall -d

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

#i-mscp bug (error with external packages pma roundcube etc)
vim /var/www/imscp/engine/setup/imscp-setup-methods.pl
#[ \&setupPreInstallPackages,         'Packages pre-installation' ],
#[ \&setupInstallPackages,            'Packages installation' ],
#[ \&setupPostInstallPackages,        'Packages post-installation' ],

mkdir -p /var/www/imscp/gui/public/tools/ftp/data

perl /var/www/imscp/engine/setup/imscp-setup -d

sed -i /etc/apt/sources.list -e s/jessie/stretch/
apt update
apt dist-upgrade

Upgrade i-mscp 1.2 to 1.5

cd /usr/local/src
wget https://github.com/i-MSCP/imscp/archive/1.5.3-2018120800.tar.gz
tar -xzf 1.5.3-2018120800.tar.gz
cd imscp-1.5.3-2018120800

#use manual
perl imscp-autoinstall -d

rm -fR /var/www/imscp/{daemon,engine,gui}
cp -fR /tmp/imscp/* /
rm -fR /tmp/imscp

perl /var/www/imscp/engine/setup/imscp-reconfigure -d

Debian dist-upgrade changes mysql default charset to utf8

In this case we want latin1 as our default charset. Due to the fact that on this server runs very old software.

sed -i /etc/mysql/mariadb.conf.d/50-client.cnf -e s/utf8mb4/latin1/

sed -i /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf -e s/utf8mb4/latin1/

sed -i /etc/mysql/mariadb.conf.d/50-server.cnf -e s/utf8mb4_general_ci/latin1_swedish_ci/

sed -i /etc/mysql/mariadb.conf.d/50-server.cnf -e s/utf8mb4/latin1/

Have fun!