Roadworrios Ipsec VPN with SSL certificate authentication

28 Mar 2014

I was trying to set up a vpn server to allow multiple roadwarrior users in our company to access our internal network.
We are using openswan installed on an alix board and I found that there is bit of a lack of documentation about how to configure it on openswan.
Specially we tried at first to set up a roadwarrior configuration with PSK and we discover that it is not possible to have simultaneous connection for different users.

This procedure explains how to create a roadwarrior configuration with SSL-certificates authentication (that allow also simultaneous connection).
We generate the Certification Authority itself and sign the certs with the CA afterwards.
This can also be done by a free Certification Authority like CaCert.

Here some good reads:

Step by step example:

  1. Create a the necessary directory structure for openssl
    (may you want also to change openssl configuration, generally under /etc/ssl/openssl.cnf):

     
    cd /etc/ipsec.d
    rm -rf ./demoCA
    mkdir demoCA
    mkdir demoCA/newcerts
    mkdir demoCA/private
    touch demoCA/index.txt
    echo "01" >> demoCA/serial
    

  2. Create the CA (valid for 10 years)

     
    openssl req -x509 -days 3650 -newkey rsa:2048 -keyout /etc/ipsec.d/private/caKey.pem -out /etc/ipsec.d/cacerts/caCert.pem
    

  3. Create a certification request for the server

    openssl req  -newkey rsa:2048 -keyout /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverReq.pem
    

  4. Convert the server key in order to be read by openswan

    openssl rsa -in /etc/ipsec.d/private/serverKey.pem -out /etc/ipsec.d/private/serverKey.pem.openswan
    

  5. Sign the certification request with our just created certification-authority (CA) (valid for 2 years)

    openssl ca -in /etc/ipsec.d/private/serverReq.pem -days 730 -out /etc/ipsec.d/certs/serverCert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
    

  6. Create a client certification request

    openssl req -newkey rsa:2048 -keyout /etc/ipsec.d/private/userAKey.pem  -out /etc/ipsec.d/private/userAReq.pem
    

  7. Sign the client certification request

    openssl ca -in /etc/ipsec.d/private/userAReq.pem -days 730 -out /etc/ipsec.d/certs/userACert.pem -notext -cert /etc/ipsec.d/cacerts/caCert.pem -keyfile /etc/ipsec.d/private/caKey.pem
    

  8. Add server private key, file /etc/ipsec.secrets:

    : RSA serverKey.pem.new "your password"
    

  9. Configure ipsec. Example /etc/ipsec.conf:

    conn roadwarriorsrsa
        authby=rsasig
        #
        left=  ??? 
        leftid=  ???
        leftsubnet=  ???
        leftrsasigkey=%cert
        leftcert=serverCert.pem
        #
        right=%any
        rightrsasigkey=%cert
        # PHASE 1
        # negothiation mode
        aggrmode=no
        ike=3des-sha1;modp1024,aes256-sha2256;modp2048
        ikelifetime=3h
        # PHASE 2
        type=tunnel
        phase2=esp
        phase2alg=3des-sha1;modp1024
        salifetime=3h

    conn useruserA also=roadwarriorsrsa rightid=@userA.yourdomani rightsubnet= ??? rightcert=userACert.pem auto=add

    conn useruserB also=roadwarriorsrsa rightid=@userB.yourdomani rightsubnet= ??? rightcert=userBCert.pem auto=add

User A and B are two roadwarrior users that can connect at the same time to your server.

Here an example of a shrewsoft client configuration for the above setting:

n:version:2
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-wins-used:0
n:client-wins-auto:0
n:client-dns-used:1
n:client-dns-auto:0
n:client-splitdns-used:0
n:client-splitdns-auto:0
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:  ???
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:  ???
s:client-ip-mask:  ???
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:  ???
s:client-dns-suffix:  ???
s:auth-method:mutual-rsa
s:ident-client-type:fqdn
s:ident-server-type:address
s:ident-client-data:userA.yourdomain
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:auto
s:policy-list-include:   ???
s:auth-client-cert:userACert.pem
b:auth-client-cert-data:   ???
s:auth-client-key:userAKey.pem
b:auth-client-key-data:   ???
s:auth-server-cert:caCert.pem
b:auth-server-cert-data:   ???

Some usefull shell command:

  • Check ipsec loaded your CA certifcates:

     ipsec auto --listcacerts

  • Check ipsec loaded your certifcates:

     ipsec auto --listcerts

  • List loaded public keys:

     ipsec auto --listpubkeys

  • Check a certifcate:

     openssl x509 -text -noout -in /etc/ipsec.d/cacerts/caCert.pem

  • Check a Key:

     openssl rsa -in privateKey.key -check

DeLonghi KG79 Grinder

21 Jan 2014

Recently I bought the DeLonghi KG79 coffee grinder.
I thinks that cheap and middle price coffee grinder are not really able to grind your coffee for a good espresso.
So I decide for this grinder after I found this post and see that it can be easily modify.
This grinder is also quite cheap (I bought on amazon for 33 Euros).

I'm posting some more photos cause, even if the previous post is well made, I found some details are missing.
Specially about how the two know are hold in place and how you can better remove.


grind setting(side):

there are 4 clips you can push using a screwdriver.

cup setting(front):

there is no clip, you have just to pull it. I found this one much more difficult to remove compared with the one on the side.

I've used some tape to avoid scratches:


Also I din't cut the stop piece on the side, instead I have first set the grind settings to the finest set. Than I've removed the 4 screws and simple turn the wheel to the middle position. This will protect your grinder and, if you use the grinder for espresso only like me, you will never want to use it for a coarse coffee.

The result is really good, the coffee is really fine and, even if the container is just plastic, static electricity is not a problem.

MBox part 2 Software

15 Jan 2014

In the previous post I've described the component used to build the MBox.
In this one I'll shortly describe the software.
I've release it on github: MBox.

First some more details about hardware:

  • I've removed the multifunction button from the mp3 board cause I didn't want to use it. All interaction is performed using the keypad.
  • I've removed also the two LEDs cause I needed some more free pins for the keypad. Also cause they are useless ones the board is enclosed into the MBox case.
  • The keypad is connected to digital pins 2 to 8. You also need to build a pull up resistors circuits as one like in the data sheet.

I've started by downloading this source code and remove all the unnecessary parts. Than I've introduced some libraries:

  • The standard arduino SD library (you will find it under libraries directory of you arduino sdk installation) in order to support FAT 16 and 32.
  • Keypad library for interaction with the keypad.

The files config.h and config.cpp contain the whole configuration and initialization methods for the SPI, VS1053b(audio decoder) and keypad.

Directory Structure:
The SD card should contains 12 directories numbered from 0 to 11. Inside any directory the player expects to find files named with a consecutively number, starting by 0, plus an extensions: ".mp3" or ".wav". Here an example of a data structure:

.
├── 0
|   ├── 0.mp3
|   ├── 1.wav
|   └── 2.wav
|
├── 1
|   ├── 0.mp3
|   ├── 1.mp3
|   ├── 2.mp3
|   └── 3.mp3
.
.
.

The current directory and file number are stored respectively into dirN and fileN. At any iteration of the method play() the player checks if the current file exists. If yes it starts playing else restart the play list from the beginning.
It reads file data into a 32 byte buffer and transfer to the mp3 chip.
The audio decoder chip signals with a high DREQ pin, that it can receive data. For more details read the VS1053b data sheet
During the time when the audio decoder chip is busy and it cannot receive any further data we can read the status of the keypad buttons. This is done into the method AvailableProcessorTime().
If a button is pressed the current playing song is stopped by setting the playStop variable to 0.
If the button is associated to the current play list then it simply increment the fileN variable in order to point to the next file.
If the button is associated to a different play list then the new play list number is saved into dirN and the variable fileN is reset to 0.

Hope the code itself is simple and self explaining.

MBox

10 Jan 2014

Few months ago I bought, as a present, an mp3 player for children called hörbert. It is really well made and the sound quality is pretty good. I really suggest as a product. The only problem is that it is quite expensive, so I thought that it would be a nice and easy project for a Christmas present for my daughter.

It was already clear since the beginning that the project would be powered by an arduino uno. So I started looking around in order to find a good way to play mp3 files with arduino and I found the Freaduino MP3 Music Shield. It is the cheapest mp3 board I found.
The board contains an sd card slot, decodes "MP3,WAV,MIDI,Ogg Vorbis" and, they wrote, has an "Excellent sound quality with ±1dB Frequency Response". Also the board is well documented on the wiki. They provide even a source code example for a very basic player. The only doubt I had was that there was almost no other resources in internet about it, specially if compared to other boards.

Than was the time to choose a mono audio amp (I didn't want to spent time to build one my selfe).
I ordered two amps, one from China(left) and one from Sparkfun(right).

The Chinese version is a stereo amp, really cheap, but the sound was really full of noise. The Spark fun version has a good sound quality and has all the necessary holes for solder in order to be easily integrate in you project.
The feature I really appreciate of the Sparkfun board is the possibility to really easily change the gain resistors, see Mono Audio Amplifier Quickstart Guide. I opted for two 10K resistors, so it does not come too loud when my 2 years daughter is playing with it.

The keypad is also a product from Sparkfun.

For the battery I chose a 2600mAh power bank, with two usb connectors, one for charging and one for power source.

All components are placed into a wood box I friend made for me and a piece of an old climbing rope is used as grab. In the back I also added an usb port to easily charge the power bank.
Here the inside of the MBox:


The MBox is supporting SD card FAT 16 or 32. The SD card contains 12 directories named starting from 0 to 12. Every button of the keypad is associated to a directory. A directory represents a play list and contains files (mp3 or wav) name with number, example: 1.mp3.
MBox plays cyclic trough the play list by simple increase a counter and search for a file with that name. Any time a button is pressed, if MBox is playing a different play list it simple switch to the associated play list and start playing file number 0 else simply play next file in order. The way how button work is not mine idea, is the way how the hörbert works.

My daughter is really happy and she is using quite a lot. I was really impressed to see how quick she was able to learn how to select the track she wants to play, Thanks hörbert.

Bill of materials:

part 2 software

Jekyll Plugin

09 Jan 2014

I'm testing a jekyll you tube plugin I found here. It runs well on local preview:

 $ jekyll server 

but after I push it on github I received a Page build failure email.

A fast search and I found that github pages does not support unsafe plugins.

Before push your new post to github is a good practice to build you site in safe mode and check for errors:

 $ jekyll build --safe 

Of course in that case the plugin is really unnecessary so I've removed the plugin and add the html code myself as suggested by gitthub.

Here is the result, my "little" sister playing for Lucca Philharmonic Orchestra:

Acoustic cryptanalysis

09 Jan 2014

I found a really cool an scary article about cryptanalysis. They are able to attack GnuPG using a mobile phone microphone placed 30cm away of your pc.

read more>>

Jekyll

09 Jan 2014

This blog is based on [jekyll]. I've choose this option after I discover github pages, where this blog is currently deployed.

With github pages you can publish your post with a simple

 $ git push 

Githup is using jekyll to generate automatically static contest from Markdown post. I was looking for a simple static blog generator, so, cause I like github, I decided to give it a try.

The first impression it that it looks quite simple,powerful and well used.

Jekyll installation is quite simple:

  • install ruby and rubygems. Remember to add in your path:

     $(ruby -rubygems -e "puts Gem.user_dir")/bin 
    

  • install jekyll:

     $ gem install jekyll -V 
    

Here jekyll quite start guide.

After installation I generate my template using bootstrap.

Other links:

Welcome

09 Jan 2014

This is my first post.

Why I decided to start a sort of blog? Don't really know the right answer. I think the most obvious is to share my current readings and findings, but also I think can be a nice way to index them.

Not really sure now how long I'll keep writing...hope this will be worth it.

p.s. it is also a good way to improve my English skills