IPsec Tunneling Between FreeBSD Hosts

LiquidPC writes: "The folks over at ONLamp have a new article which discusses IP security, including details on setting up Internet Key Exchange, policies, and using racoon."

im a llama!

[dr4ma]

and nobody commented on this news article? hmmm.
flame me now wh0rish trolls!

Re:im a llama!

FreeBSD sucks.

Re:im a llama!

[LiquidPC]

Well thank you for notifying everyone that FreeBSD sucks, your amazing debating skills have caused me to change my mind totally about FreeBSD and now use a hax0r operating system, thank you for your help.

We tried this at work

[fluor2]

We tried this at work, but we used Windows 2000 servers. However we felt that it was very hard to make it work over firewalls, since so many ports are used (might be different in BSD). We ended up using own ip-segment for those servers without ipsec..

Re:We tried this at work

You need to open up for UDP port 500 and for proto esp. Not that difficult.

I'm fucking my little sister as I write this!

[The+WIPO+Troll]

I LIKE TO FUCK MY LITTLE SISTER! (AND OTHER SHIT) By J. Wipo Troll, Esq., $Revision: 1.4 $ Whats black, blue and green and doesnt like sex? The Girl Scout locked in my basement. Whats the worst part about having sex with a six year-old? Getting the blood out of your clown suit. Whats the best thing about getting a hand job from a five year-old? That little hand makes your thing look really huge. Guy comes home from work to find his girlfriend sitting on the porch, crying. Whats wrong, honey? Im leaving you! I just found out youre a pædophile! Pædophile? Why, thats a pretty big word for a ten year-old. How can you tell when your sisters on her period? When your dads dick tastes like blood! Two pædophiles are lying on a beach tanning, one turns to the other and says, Excuse me, youre in my son. Whats 18 inches long, blue, veiny, and makes a woman cry? Crib death. How could the mans seven year-old son tell that his dad had fucked his eight year-old sister? His dads weiner tasted like blood! Watson returns home to find Holmes in bed with a child. He shouts, Is this some sort of a schoolgirl? Holmes replies, Elementary, my dear Watson. So I was having sex with my girlfriend, and I decided I wanted to get kinky and try and do her in the ass. So I slipped around back; she looked over her shoulder at me and said, My, how presumptuous of you. I said, Presumptuous? Thats a big word for a ten year-old. Two guys are walking down the street when a beautiful woman passes. The first guy says, Damn! Id love to tear her clothes off, do her in the rear, smear my fæces all over her, slice off her breasts, chop her into little pieces, put her in a garbage bag and toss her into the river! Second guy says, Yuck! Youre a sick bastard! First guy says, Whatre you? A fag? A kindergarten teacher is asking the kids what their father does for a living. All the kids answer except for Little Johnny. The teacher asks Little Johnny what his Dad does and Johnny replies, My dad is dead. The teacher says, Thats terribile, but what did he do before he died? Little Johnny replies, He turned blue and shit all over himself! A guy calls in sick to work. Whats wrong? asks the boss. Im sick, the guy replies. You sound all right. No, Im really sick. Believe me. Listen, you were fine yesterday, and we have a lot of work today. I want you in here. You cant be that sick! Dude, I just banged my sister. Dont tell me Im not sick. A little girl accompanied her father to the barbershop. While her dad received a haircut, the little girl stood next to the barber chair, enjoying a snack cake. The barber smiled at her and said, Sweetheart, youre going to get hair on your Twinkie. I know, the little girl replied. Im gonna get tits, too. An older man and a small boy walk hand in hand through the woods. Boy: These woods sure are spooky! Man: You think youre scared, Ive gotta walk out of here alone. Whats the difference between Neil Armstrong and Michael Jackson? One walked on the moon, and the other rapes little boys. Has anyone read Michael Jacksons new book, The Ins and Outs of Child Rearing? Q: Whats the difference between a dead baby and a golden delicious apple? A: I dont cum all over the golden delicious apple before I take a bite out of it. Q: Whats the difference between a dead baby and my girlfriend? A: I dont kiss my girlfriend after sex. Q: Whats the difference between a dead baby and a table? A: You cant fuck a table. Q: Whats special about a dead baby over all other forms of life? A: You can achieve deep throat from whichever way you enter. Q: What do you have when you have four dead babies, take away two, and add five more? A: An orgy! Q: Whats better than three 14-year-olds? A: 14 three-year-olds. Q: Whats white and bobs up and down in a babys crib? A: A pædophiles ass. Q: Whats the safest way to play with a baby? A: With a condom. Q: Whats more fun than feeling up a dead baby? A: Feeling up a dead baby with three nipples. Q: What does a baby and a Pinto have in common? A: Theyre fun to ride until they die. Q: What do you get whan you dislocate a dead babys jaw? A: Deep throat. Q: Whats the difference between a baby and a grandmother? A: Grandmothers dont die when you fuck them in the ass. Q: Whats the best sound in the world? A: Hearing dead babys hips crack under pressure! Q: Whats worse than a having sex with a dead baby? A: Having sex with a dead baby filled with razor blades. Q: How do you stop a baby from choking? A: Take your dick out of its mouth. Q: Whats worse than finding a dead baby on your pillow in the morning? A: Realizing you were drunk and made love to it the night before. Q: How do you make a baby cry twice? A: Wipe your bloody cock on his teddy bear. Whats better than sex with a twelve year-old boy? Absolutely nothing.

[Thanks to Fark.com for all of these wonderfully sick jokes! I couldnt have done it without you! And thanks to all the Anonymous Cowards who have flamed me, I have three words for you! YHBT! YHL! HAND! Apparently this post is extremely good at getting biters. According to an anonymous coward, Attorney General Ashcroft is also after little old WIPO Troll now, in addition to the Canadian cops-on-a-horse that another A.C. sent after me a couple days earlier. Well, this should be fun. Keep up the biting, Slashdotters! ed.]

________________________________________

• The URL of this document is http://slashdot.org/journal.pl? op=display &uid=267426 &id=3101.

$Id: paedophilia.html,v 1.4 2001/12/30 03:58:03 wipo Exp $

Copyright © 2001 J. Wipo Troll, Esq. Verbatim crapflooding of this document is permitted in any medium, provided this copyright notice is preserved, and next time you take a dump, you think of the WIPO Troll and all hes done to make Slashdot a better place.

*BSD is dying

Netcraft now officially confirms: *BSD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dead

Re:*BSD is dying

Fact: *BSD is dead

I guess all this IPsec tunneling stuff is just a myth then?

Re:*BSD is dying

Naw its either like Chicago where the dead vote, or undead zombie processes.

Re:*BSD is dying

[isolation]

Or its like the democratics that can get someone elected who is dead

Pre Shared Keys are step 1. Next: Public Keys

[aphor]

Pre-Shared Keys are the first step in getting IPSec running, but it really doesn't fulfil the role that IPSec was intended for: securing rlogin/rsh/rcp, ftp, etc. on an ad-hoc basis using the Transport Mode AH/ESP.

For that you want to set up "Transport Mode" (as opposed to Tunnel mode) IPSec policies, and you don't want to use pre-shared-keys (ie. that must be kept in sync on both ends of any IPSec connection).

What you want to do is use OpenSSL or the SSL certificate utilities that come with Apache-SSL (or is it mod-ssl?) to make a Certificate Authority (CA) key pair for yourself. You want to keep those on removable media; don't leave them laying around on some hard-drive. Then, (this is a repeated-per-host step) use the same utilities and your new CA to make keys and x509 certificates for each of the computers' IP addresses that you intend to secure with IPSec. Trust me on this one: make sure you make keys for both IPv4 and IPv6 for each IP address that appears in netstat -rn output.

Setting hosts up for the public-keys you just made: You need to distribue a copy of the CA public key to each machine wherever your OpenSSL(1) configuration likes CA public keys. Put the host keys somewhere like /usr/local/etc/racoon/hostkeys and make sure only root (the racoon daemon) has access to the private keys. Your standard racoon.conf file will need a "path certificate" line that specifies your hostkeys directory as well as your systems' OpenSSL certificate areas. You should start doing these steps as part of any standard installation procedure if you have one.

Once you have keys set up on two hosts, set them up with IPSec policies to allow rlogin over authenticated ESP encrypted connections only. If you didn't set up keys (correctly), rlogin will be firewalled out by the IPSec policy. If you got it all right, you should be able to rlogin between the hosts.

man pages of interest:

• openssl(1)
  This is a couple of days' worth of homework if you're not already familliar. Also look at /etc/ssl/openssl.cnf (which should be fully customised as a prerequisite to this project).
• racoon(8)
• racoon.conf(5)
• setkey(8)