Create a Linux VPN for a Nokia E61 with Openswan
Listing 11. Punching a little hole in the firewall. Note that the e61 is set in /etc/hosts to 192.168.6.252.
iptables -X REMOTEVPN_INPUT 2>/dev/null iptables -X REMOTEVPN_OUTPUT 2>/dev/null iptables -N REMOTEVPN_INPUT iptables -N REMOTEVPN_OUTPUT iptables -I INPUT -j REMOTEVPN_INPUT iptables -I OUTPUT -j REMOTEVPN_OUTPUT iptables -A REMOTEVPN_INPUT -p esp -j ACCEPT iptables -A REMOTEVPN_INPUT -m udp -p udp \ --dport isakmp -j LOG \ --log-prefix "incoming-ipsec-key " iptables -A REMOTEVPN_INPUT --src e61 \ -p tcp --dport imaps -j LOG \ --log-prefix "incoming-imaps " iptables -A REMOTEVPN_INPUT -m udp -p udp \ --dport isakmp -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport imaps -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport smtp -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 -p tcp \ --dport squid -j ACCEPT iptables -A REMOTEVPN_INPUT --src e61 \ -j LOG --log-prefix "e61-strange " iptables -A REMOTEVPN_OUTPUT -p esp -j ACCEPT iptables -A REMOTEVPN_OUTPUT -m udp -p udp \ --sport isakmp -j LOG \ --log-prefix "outgoing-ipsec-key " iptables -A REMOTEVPN_OUTPUT -m udp -p udp \ --sport isakmp -j ACCEPT
Listing 12. Remove the e61 access.
iptables -D INPUT -j REMOTEVPN_INPUT iptables -D OUTPUT -j REMOTEVPN_OUTPUT
One more complication exists for using some of the publicly available Wi-Fi hotspots. Depending on where on the globe you are, many of these hotspots follow the pattern that when you try to open a Web site, they redirect you to their Wi-Fi login page, you authenticate to them, and then you can use the Internet. If you simply open up a VPN access point on the e61 that is set to use the EasyWLAN as its Internet access point, things will not work. The e61 will start the Wi-Fi connection and immediately try to send data to set up a VPN connection. As you have to authenticate with the Wi-Fi hotspot before this, it will let traffic through, but then things will come crashing down.
A way to get around this is to open the Web browser and directly connect just using EasyWLAN without any VPN whatsoever. Once you have authenticated to the hotspot, leave the browser running and use the menu key to get back to the main menu, and then open the e-mail client. For the access point this time, use the VPN that has EasyWLAN set as its Internet access point. The existing Wi-Fi connection is reused, and the VPN is layered on top. To get secure Web browsing, you can then leave the e-mail program by holding the menu key and going back to the browser. Exit the browser, and the still-running e-mail program holds the VPN open. Start the browser again, and select the VPN as your access point.
Of course, if the Wi-Fi network you are connecting to allows connections without this preamble, opening any application that wants a data connection should allow you to select the new VPN as your access point. Also, if the Wi-Fi hotspot remembers your MAC address and allows reconnection without explicitly having to log in each time, you can start the VPN directly on subsequent connections.
Once the VPN has connected to vserv, the e61 prompts you for the user name and password to use for XAUTH verification (Figure 8).
After XAUTH verification, you should be able to use the VPN without noticing it. In this case, I can browse the Internet using my LANs proxy server to fetch the data (Figure 9).
Being able to use a DNS name in the e61 VPN policy would be wonderful for folks who don't have cheap access to static IP addresses. I'm still investigating how to connect using public key cryptography instead of the preshared key as shown in this article. For connecting a single e61 to the network, using a large enough preshared key should still be quite secure.
The information in the article comes with no guarantee of being correct, secure or suitable for anything; use it at your own risk and discretion.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Profiles and RC Files
- Understanding Ceph and Its Place in the Market
- Astronomy for KDE
- The Giant Zero, Part 0.x
- Git 2.9 Released
- Maru OS Brings Debian to Your Phone
- SoftMaker FreeOffice
- OpenSwitch Finds a New Home
- What's Our Next Fight?
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide