OpenSwan puppet module

This weekend I made a puppet module to install openswan. This comes in handy for some work I am doing with amazon ec2 instances. Please let me know if you have any issues. Also please make sure that OpenSwan 2.6.32 is installed. 2.6.37 has issues.

Misc

I’ve noticed that if you change ipsec.secrets in /etc appropriately connectivity was achieved.

https://github.com/visualne/puppet/tree/master/openSwan

Create ubuntu repository

Creating an ubuntu repository is painless. It’s almost identical for creating a redhat local repo. Here are the steps.

1) apt-get install apache2

2) mkdir -p /var/www/debs/x86_64 — Substitute x86_64 for your architecture.

3) Move any .deb packages you need to /var/ww/debs/x86_64. In order to download the deb packages issue the following commands

—-

apt-get -y install --print-uris PACKAGE-NAME | cut -d\' -f2 | grep http:// > apturls
wget -i apturls

cd /var/www/debs/
dpkg-scanpackages x86_64 | gzip -9c > x86_64/Packages.gz
*Add a link to the repository in /etc/apt/sources.list
ex) deb http://IP-ADDRESS/debs/ x86_64/

*Issue the apt-get update command on the box you just added the above repository to.

Done. Thanks to this link: http://askubuntu.com/questions/170348/how-to-make-my-own-local-repository

I just had an idea about these types of tasks. I think the internet will one day not only present
you with the types of commands to do similar tasks like this. But I also think it will be bright enough to present
you with a custom made script that does literally whatever you want. So in other words if puppet will
fit the bill, the internet will provide you with the exact script you need to run. I think AI will
one day be bright enough to put together code based on responses on forums like stackoverflow. And just have a bunch of scripts on standby
for commonly searched tasks.
ex) Here is the puppet module I made for this: https://github.com/visualne/puppet/tree/master/ubuntuLocalRepo

alias for OpenStack dashboard

We just built an Icehouse cluster with packstack and ran into a problem because the ip the dashboard was on was nat’d. And when we when to the nat’d ip the GET requests appeared to come from the public ip, and the dashboard will not respond to get requests

The fix was to change/etc/httpd/conf.d/15.horizon.vhosts.conf file under server aliases option at the bottom, you will just add a different ip address under the aliases.

You will see something like this at the bottom

 

  ## Server aliases
  ServerAlias ########
  ServerAlias ADD THE OTHER IP YOU WANT THE DASHBOARD TO RESPOND TO
  ServerAlias imcs-controller.ngi.harris.com
  ServerAlias localhost
  WSGIDaemonProcess dashboard group=apache processes=3 threads=10 user=apache
  WSGIProcessGroup dashboard
  WSGIScriptAlias /dashboard “/usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi”
</VirtualHost>

OpenSwan IPSec Site to Site tunnel – Amazon EC2 instance to Cisco ASA

If you see something like this in the logs:

initial Main Mode message received on ###########:500 but no connection has been authorized with policy=PSK

And the far end is the one that is trying to send you isakmp messages…… MAKE SURE you have auto=add turned on in the config file.

Refer to the sample output below. This config was between an EC2 instance and a Cisco ASA.

conn vpc1-to-vpc2
        type=tunnel
        authby=secret

        #LEFT SIDE
        left=%defaultroute
        leftid=###############
        leftnexthop=%defaultroute
        leftsubnet=###############

        #RIGHT SIDE#
        right=################
        #new line below
        #protostack=klips
        rightsubnet=################
        esp=aes256-sha1;modp1024
        keyexchange=ike
        ike=aes256-sha1;modp1536
        salifetime=28800s
        pfs=yes
        auto=add <—————– You need that line to allow the far end to begin negotiation of phase 1.
        dpdaction=hold