From bdec7d13e5514489693f29111783592ba613988a Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Sat, 9 Oct 2021 05:17:46 -0400 Subject: move scrap notes into notes/ --- andy.brief.conf | 28 - andy.conf | 580 --------------------- ...outgoing-tcp-connections-through-ipv6-tunnel.sh | 26 - gai.conf | 65 --- ipsec.conf | 41 -- ipsec.conf.empty | 5 - notes/andy.brief.conf | 28 + notes/andy.conf | 580 +++++++++++++++++++++ ...outgoing-tcp-connections-through-ipv6-tunnel.sh | 26 + notes/gai.conf | 65 +++ notes/ipsec.conf | 41 ++ notes/ipsec.conf.empty | 5 + 12 files changed, 745 insertions(+), 745 deletions(-) delete mode 100644 andy.brief.conf delete mode 100644 andy.conf delete mode 100755 disable-outgoing-tcp-connections-through-ipv6-tunnel.sh delete mode 100644 gai.conf delete mode 100644 ipsec.conf delete mode 100644 ipsec.conf.empty create mode 100644 notes/andy.brief.conf create mode 100644 notes/andy.conf create mode 100644 notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh create mode 100644 notes/gai.conf create mode 100644 notes/ipsec.conf create mode 100644 notes/ipsec.conf.empty diff --git a/andy.brief.conf b/andy.brief.conf deleted file mode 100644 index 977a546..0000000 --- a/andy.brief.conf +++ /dev/null @@ -1,28 +0,0 @@ -connections { - andy { - remote_addrs = 68.48.18.140 - vips = :: - local1 { - pubkeys = ssh_host_rsa_key.pub - auth = pubkey - id = dd6c:fbfd:eeb8:4709 - } - remote1 { - id = "68.48.18.140" - pubkeys = andy.pub - auth = pubkey - } - children { - child1 { - remote_ts = 0::0/0 - mode = tunnel - dpd_action = restart - } - } - } -} -secrets { - private1 { - file = ssh_host_rsa_key - } -} diff --git a/andy.conf b/andy.conf deleted file mode 100644 index ea5e71a..0000000 --- a/andy.conf +++ /dev/null @@ -1,580 +0,0 @@ -# conn andy -# type=tunnel -# auto=add -# -# left=%any -# leftsourceip=%config -# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" -# leftid=dd6c:fbfd:eeb8:4709 -# right=%any -# right=68.48.18.140 -# #rightsubnet=2601:401:8200:2d4c::1/64 -# rightsubnet=0::0/0 -# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" - -# Section defining IKE connection configurations. -connections { - - # Section for an IKE connection named andy. - andy { - - # IKE major version to use for connection. - # version = 0 - - # Local address(es) to use for IKE communication, comma separated. - # local_addrs = %any - - # Remote address(es) to use for IKE communication, comma separated. - remote_addrs = 68.48.18.140 - - # Local UDP port for IKE communication. - # local_port = 500 - - # Remote UDP port for IKE communication. - # remote_port = 500 - - # Comma separated proposals to accept for IKE. - # proposals = default - - # Virtual IPs to request in configuration payload / Mode Config. - vips = :: - - # Use Aggressive Mode in IKEv1. - # aggressive = no - - # Set the Mode Config mode to use. - # pull = yes - - # Differentiated Services Field Codepoint to set on outgoing IKE packets - # (six binary digits). - # dscp = 000000 - - # Enforce UDP encapsulation by faking NAT-D payloads. - # encap = no - - # Enables MOBIKE on IKEv2 connections. - # mobike = yes - - # Interval of liveness checks (DPD). - # dpd_delay = 0s - - # Timeout for DPD checks (IKEV1 only). - # dpd_timeout = 0s - - # Use IKE UDP datagram fragmentation (yes, accept, no or force). - # fragmentation = yes - - # Use childless IKE_SA initiation (allow, force or never). - # childless = allow - - # Send certificate requests payloads (yes or no). - # send_certreq = yes - - # Send certificate payloads (always, never or ifasked). - # send_cert = ifasked - - # String identifying the Postquantum Preshared Key (PPK) to be used. - # ppk_id = - - # Whether a Postquantum Preshared Key (PPK) is required for this - # connection. - # ppk_required = no - - # Number of retransmission sequences to perform during initial connect. - # keyingtries = 1 - - # Connection uniqueness policy (never, no, keep or replace). - # unique = no - - # Time to schedule IKE reauthentication. - # reauth_time = 0s - - # Time to schedule IKE rekeying. - # rekey_time = 4h - - # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. - # over_time = 10% of rekey_time/reauth_time - - # Range of random time to subtract from rekey/reauth times. - # rand_time = over_time - - # Comma separated list of named IP pools. - # pools = - - # Default inbound XFRM interface ID for children. - # if_id_in = 0 - - # Default outbound XFRM interface ID for children. - # if_id_out = 0 - - # Whether this connection is a mediation connection. - # mediation = no - - # The name of the connection to mediate this connection through. - # mediated_by = - - # Identity under which the peer is registered at the mediation server. - # mediation_peer = - - # Section for a local authentication round. - local1 { - - # Optional numeric identifier by which authentication rounds are - # sorted. If not specified rounds are ordered by their position in - # the config file/VICI message. - # round = 0 - - # Comma separated list of certificate candidates to use for - # authentication. - # certs = - - # Section for a certificate candidate to use for authentication. - # cert = - - # Comma separated list of raw public key candidates to use for - # authentication. - pubkeys = ssh_host_rsa_key.pub - - # Authentication to perform locally (pubkey, psk, xauth[-backend] or - # eap[-method]). - auth = pubkey - - # IKE identity to use for authentication round. - id = dd6c:fbfd:eeb8:4709 - - # Client EAP-Identity to use in EAP-Identity exchange and the EAP - # method. - # eap_id = id - - # Server side EAP-Identity to expect in the EAP method. - # aaa_id = remote-id - - # Client XAuth username used in the XAuth exchange. - # xauth_id = id - - # cert { - - # Absolute path to the certificate to load. - # file = - - # Hex-encoded CKA_ID of the certificate on a token. - # handle = - - # Optional slot number of the token that stores the certificate. - # slot = - - # Optional PKCS#11 module name. - # module = - - # } - - } - - # Section for a remote authentication round. - remote1 { - - # Optional numeric identifier by which authentication rounds are - # sorted. If not specified rounds are ordered by their position in - # the config file/VICI message. - # round = 0 - - # IKE identity to expect for authentication round. - #id = %any - id = "68.48.18.140" - - # Identity to use as peer identity during EAP authentication. - # eap_id = id - - # Authorization group memberships to require. - # groups = - - # Certificate policy OIDs the peer's certificate must have. - # cert_policy = - - # Comma separated list of certificate to accept for authentication. - # certs = - - # Section for a certificate to accept for authentication. - # cert = - - # Comma separated list of CA certificates to accept for - # authentication. - # cacerts = - - # Section for a CA certificate to accept for authentication. - # cacert = - - # Identity in CA certificate to accept for authentication. - # ca_id = - - # Comma separated list of raw public keys to accept for - # authentication. - pubkeys = andy.pub - - # Certificate revocation policy, (strict, ifuri or relaxed). - # revocation = relaxed - - # Authentication to expect from remote (pubkey, psk, xauth[-backend] - # or eap[-method]). - auth = pubkey - - # cert { - - # Absolute path to the certificate to load. - # file = - - # Hex-encoded CKA_ID of the certificate on a token. - # handle = - - # Optional slot number of the token that stores the certificate. - # slot = - - # Optional PKCS#11 module name. - # module = - - # } - - # cacert { - - # Absolute path to the certificate to load. - # file = - - # Hex-encoded CKA_ID of the CA certificate on a token. - # handle = - - # Optional slot number of the token that stores the CA - # certificate. - # slot = - - # Optional PKCS#11 module name. - # module = - - # } - - } - - children { - - # CHILD_SA configuration sub-section. - child1 { - - # AH proposals to offer for the CHILD_SA. - # ah_proposals = - - # ESP proposals to offer for the CHILD_SA. - # esp_proposals = default - - # Use incorrect 96-bit truncation for HMAC-SHA-256. - # sha256_96 = no - - # Local traffic selectors to include in CHILD_SA. - # local_ts = dynamic - - # Remote selectors to include in CHILD_SA. - remote_ts = 0::0/0 - - # Time to schedule CHILD_SA rekeying. - # rekey_time = 1h - - # Maximum lifetime before CHILD_SA gets closed, as time. - # life_time = rekey_time + 10% - - # Range of random time to subtract from rekey_time. - # rand_time = life_time - rekey_time - - # Number of bytes processed before initiating CHILD_SA rekeying. - # rekey_bytes = 0 - - # Maximum bytes processed before CHILD_SA gets closed. - # life_bytes = rekey_bytes + 10% - - # Range of random bytes to subtract from rekey_bytes. - # rand_bytes = life_bytes - rekey_bytes - - # Number of packets processed before initiating CHILD_SA - # rekeying. - # rekey_packets = 0 - - # Maximum number of packets processed before CHILD_SA gets - # closed. - # life_packets = rekey_packets + 10% - - # Range of random packets to subtract from packets_bytes. - # rand_packets = life_packets - rekey_packets - - # Updown script to invoke on CHILD_SA up and down events. - # updown = - - # Hostaccess variable to pass to updown script. - # hostaccess = no - - # IPsec Mode to establish (tunnel, transport, transport_proxy, - # beet, pass or drop). - mode = tunnel - - # Whether to install IPsec policies or not. - # policies = yes - - # Whether to install outbound FWD IPsec policies or not. - # policies_fwd_out = no - - # Action to perform on DPD timeout (clear, trap or restart). - dpd_action = restart - - # Enable IPComp compression before encryption. - # ipcomp = no - - # Timeout before closing CHILD_SA after inactivity. - # inactivity = 0s - - # Fixed reqid to use for this CHILD_SA. - # reqid = 0 - - # Optional fixed priority for IPsec policies. - # priority = 0 - - # Optional interface name to restrict IPsec policies. - # interface = - - # Netfilter mark and mask for input traffic. - # mark_in = 0/0x00000000 - - # Whether to set *mark_in* on the inbound SA. - # mark_in_sa = no - - # Netfilter mark and mask for output traffic. - # mark_out = 0/0x00000000 - - # Netfilter mark applied to packets after the inbound IPsec SA - # processed them. - # set_mark_in = 0/0x00000000 - - # Netfilter mark applied to packets after the outbound IPsec SA - # processed them. - # set_mark_out = 0/0x00000000 - - # Inbound XFRM interface ID. - # if_id_in = 0 - - # Outbound XFRM interface ID. - # if_id_out = 0 - - # Traffic Flow Confidentiality padding. - # tfc_padding = 0 - - # IPsec replay window to configure for this CHILD_SA. - # replay_window = 32 - - # Enable hardware offload for this CHILD_SA, if supported by the - # IPsec implementation. - # hw_offload = no - - # Whether to copy the DF bit to the outer IPv4 header in tunnel - # mode. - # copy_df = yes - - # Whether to copy the ECN header field to/from the outer IP - # header in tunnel mode. - # copy_ecn = yes - - # Whether to copy the DSCP header field to/from the outer IP - # header in tunnel mode. - # copy_dscp = out - - # Action to perform after loading the configuration (none, trap, - # start). - # start_action = none - - # Action to perform after a CHILD_SA gets closed (none, trap, - # start). - # close_action = none - - } - - } - - } - -} - -# Section defining secrets for IKE/EAP/XAuth authentication and private key -# decryption. -secrets { - - # EAP secret section for a specific secret. - # eap { - - # Value of the EAP/XAuth secret. - # secret = - - # Identity the EAP/XAuth secret belongs to. - # id = - - # } - - # XAuth secret section for a specific secret. - # xauth { - - # } - - # NTLM secret section for a specific secret. - # ntlm { - - # Value of the NTLM secret. - # secret = - - # Identity the NTLM secret belongs to. - # id = - - # } - - # IKE preshared secret section for a specific secret. - # ike { - - # Value of the IKE preshared secret. - # secret = - - # IKE identity the IKE preshared secret belongs to. - # id = - - # } - - # Postquantum Preshared Key (PPK) section for a specific secret. - # ppk { - - # Value of the PPK. - # secret = - - # PPK identity the PPK belongs to. - # id = - - # } - - # Private key decryption passphrase for a key in the private folder. - private1 { - - # File name in the private folder for which this passphrase should be - # used. - file = ssh_host_rsa_key - - # Value of decryption passphrase for private key. - # secret = - - } - - # Private key decryption passphrase for a key in the rsa folder. - # rsa { - - # File name in the rsa folder for which this passphrase should be used. - # file = - - # Value of decryption passphrase for RSA key. - # secret = - - # } - - # Private key decryption passphrase for a key in the ecdsa folder. - # ecdsa { - - # File name in the ecdsa folder for which this passphrase should be - # used. - # file = - - # Value of decryption passphrase for ECDSA key. - # secret = - - # } - - # Private key decryption passphrase for a key in the pkcs8 folder. - # pkcs8 { - - # File name in the pkcs8 folder for which this passphrase should be - # used. - # file = - - # Value of decryption passphrase for PKCS#8 key. - # secret = - - # } - - # PKCS#12 decryption passphrase for a container in the pkcs12 folder. - # pkcs12 { - - # File name in the pkcs12 folder for which this passphrase should be - # used. - # file = - - # Value of decryption passphrase for PKCS#12 container. - # secret = - - # } - - # Definition for a private key that's stored on a token/smartcard. - # token { - - # Hex-encoded CKA_ID of the private key on the token. - # handle = - - # Optional slot number to access the token. - # slot = - - # Optional PKCS#11 module name to access the token. - # module = - - # Optional PIN required to access the key on the token. If none is - # provided the user is prompted during an interactive --load-creds call. - # pin = - - # } - -} - -# Section defining named pools. -# pools { - - # Section defining a single pool with a unique name. - # { - - # Addresses allocated in pool. - # addrs = - - # Comma separated list of additional attributes from type . - # = - - # } - -# } - -# Section defining attributes of certification authorities. -# authorities { - - # Section defining a certification authority with a unique name. - # { - - # CA certificate belonging to the certification authority. - # cacert = - - # Absolute path to the certificate to load. - # file = - - # Hex-encoded CKA_ID of the CA certificate on a token. - # handle = - - # Optional slot number of the token that stores the CA certificate. - # slot = - - # Optional PKCS#11 module name. - # module = - - # Comma-separated list of CRL distribution points. - # crl_uris = - - # Comma-separated list of OCSP URIs. - # ocsp_uris = - - # Defines the base URI for the Hash and URL feature supported by IKEv2. - # cert_uri_base = - - # } - -# } diff --git a/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh b/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh deleted file mode 100755 index 842cc0f..0000000 --- a/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -xe -[ "$UID" = 0 ] || exec sudo -- "$0" "$@" || exit - -if [ "$1" = delete ] -then - ONLY_DELETE_RULES=y -fi - -ip6tables_add() -{ - ip6tables -D "$@" 2>/dev/null || : not deleted - ${ONLY_DELETE_RULES:+: not added -- } ip6tables -A "$@" -} -ip6rule_add() -{ - ip -6 rule delete "$@" 2>/dev/null || : not deleted - ${ONLY_DELETE_RULES:+: not added -- } ip -6 rule add "$@" -} - -mark=22 -ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j MARK --set-mark $mark -ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j CONNMARK --save-mark -ip6tables_add OUTPUT -t mangle -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark -ip6rule_add fwmark $mark prohibit -ip6rule_add fwmark $mark table main -exit $? diff --git a/gai.conf b/gai.conf deleted file mode 100644 index 1a1770b..0000000 --- a/gai.conf +++ /dev/null @@ -1,65 +0,0 @@ -# Configuration for getaddrinfo(3). -# -# So far only configuration for the destination address sorting is needed. -# RFC 3484 governs the sorting. But the RFC also says that system -# administrators should be able to overwrite the defaults. This can be -# achieved here. -# -# All lines have an initial identifier specifying the option followed by -# up to two values. Information specified in this file replaces the -# default information. Complete absence of data of one kind causes the -# appropriate default information to be used. The supported commands include: -# -# reload -# If set to yes, each getaddrinfo(3) call will check whether this file -# changed and if necessary reload. This option should not really be -# used. There are possible runtime problems. The default is no. -# -# label -# Add another rule to the RFC 3484 label table. See section 2.1 in -# RFC 3484. The default is: -# -#label ::1/128 0 -#label ::/0 1 -#label 2002::/16 2 -#label ::/96 3 -#label ::ffff:0:0/96 4 -#label fec0::/10 5 -#label fc00::/7 6 -#label 2001:0::/32 7 -# -# This default differs from the tables given in RFC 3484 by handling -# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. -# The reason for this difference is that these addresses are never -# NATed while IPv4 site-local addresses most probably are. Given -# the precedence of IPv6 over IPv4 (see below) on machines having only -# site-local IPv4 and IPv6 addresses a lookup for a global address would -# see the IPv6 be preferred. The result is a long delay because the -# site-local IPv6 addresses cannot be used while the IPv4 address is -# (at least for the foreseeable future) NATed. We also treat Teredo -# tunnels special. -# -# precedence -# Add another rule to the RFC 3484 precedence table. See section 2.1 -# and 10.3 in RFC 3484. The default is: -# -precedence ::1/128 50 -precedence ::/0 40 -precedence 2002::/16 30 -precedence ::/96 20 -#precedence ::ffff:0:0/96 10 -# -# For sites which prefer IPv4 connections change the last line to -# -precedence ::ffff:0:0/96 100 - -# -# scopev4 -# Add another rule to the RFC 6724 scope table for IPv4 addresses. -# By default the scope IDs described in section 3.2 in RFC 6724 are -# used. Changing these defaults should hardly ever be necessary. -# The defaults are equivalent to: -# -#scopev4 ::ffff:169.254.0.0/112 2 -#scopev4 ::ffff:127.0.0.0/104 2 -#scopev4 ::ffff:0.0.0.0/96 14 diff --git a/ipsec.conf b/ipsec.conf deleted file mode 100644 index 82728d3..0000000 --- a/ipsec.conf +++ /dev/null @@ -1,41 +0,0 @@ - -# basic configuration - -config setup - # strictcrlpolicy=yes - # uniqueids = no - -conn andy - type=tunnel - auto=add - left=%any - leftsourceip=%config - leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" - leftid=dd6c:fbfd:eeb8:4709 - right=%any - right=68.48.18.140 - #rightsubnet=2601:401:8200:2d4c::1/64 - rightsubnet=0::0/0 - rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" - -# Add connections here. - -# Sample VPN connections - -#conn sample-self-signed -# leftsubnet=10.1.0.0/16 -# leftcert=selfCert.der -# leftsendcert=never -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightcert=peerCert.der -# auto=start - -#conn sample-with-ca-cert -# leftsubnet=10.1.0.0/16 -# leftcert=myCert.pem -# right=192.168.0.2 -# rightsubnet=10.2.0.0/16 -# rightid="C=CH, O=Linux strongSwan CN=peer name" -# auto=start -#include /var/cache/kiki/config/ipsec.conf diff --git a/ipsec.conf.empty b/ipsec.conf.empty deleted file mode 100644 index ff9cca2..0000000 --- a/ipsec.conf.empty +++ /dev/null @@ -1,5 +0,0 @@ -# basic configuration - -config setup - # strictcrlpolicy=yes - # uniqueids = no diff --git a/notes/andy.brief.conf b/notes/andy.brief.conf new file mode 100644 index 0000000..977a546 --- /dev/null +++ b/notes/andy.brief.conf @@ -0,0 +1,28 @@ +connections { + andy { + remote_addrs = 68.48.18.140 + vips = :: + local1 { + pubkeys = ssh_host_rsa_key.pub + auth = pubkey + id = dd6c:fbfd:eeb8:4709 + } + remote1 { + id = "68.48.18.140" + pubkeys = andy.pub + auth = pubkey + } + children { + child1 { + remote_ts = 0::0/0 + mode = tunnel + dpd_action = restart + } + } + } +} +secrets { + private1 { + file = ssh_host_rsa_key + } +} diff --git a/notes/andy.conf b/notes/andy.conf new file mode 100644 index 0000000..ea5e71a --- /dev/null +++ b/notes/andy.conf @@ -0,0 +1,580 @@ +# conn andy +# type=tunnel +# auto=add +# +# left=%any +# leftsourceip=%config +# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" +# leftid=dd6c:fbfd:eeb8:4709 +# right=%any +# right=68.48.18.140 +# #rightsubnet=2601:401:8200:2d4c::1/64 +# rightsubnet=0::0/0 +# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" + +# Section defining IKE connection configurations. +connections { + + # Section for an IKE connection named andy. + andy { + + # IKE major version to use for connection. + # version = 0 + + # Local address(es) to use for IKE communication, comma separated. + # local_addrs = %any + + # Remote address(es) to use for IKE communication, comma separated. + remote_addrs = 68.48.18.140 + + # Local UDP port for IKE communication. + # local_port = 500 + + # Remote UDP port for IKE communication. + # remote_port = 500 + + # Comma separated proposals to accept for IKE. + # proposals = default + + # Virtual IPs to request in configuration payload / Mode Config. + vips = :: + + # Use Aggressive Mode in IKEv1. + # aggressive = no + + # Set the Mode Config mode to use. + # pull = yes + + # Differentiated Services Field Codepoint to set on outgoing IKE packets + # (six binary digits). + # dscp = 000000 + + # Enforce UDP encapsulation by faking NAT-D payloads. + # encap = no + + # Enables MOBIKE on IKEv2 connections. + # mobike = yes + + # Interval of liveness checks (DPD). + # dpd_delay = 0s + + # Timeout for DPD checks (IKEV1 only). + # dpd_timeout = 0s + + # Use IKE UDP datagram fragmentation (yes, accept, no or force). + # fragmentation = yes + + # Use childless IKE_SA initiation (allow, force or never). + # childless = allow + + # Send certificate requests payloads (yes or no). + # send_certreq = yes + + # Send certificate payloads (always, never or ifasked). + # send_cert = ifasked + + # String identifying the Postquantum Preshared Key (PPK) to be used. + # ppk_id = + + # Whether a Postquantum Preshared Key (PPK) is required for this + # connection. + # ppk_required = no + + # Number of retransmission sequences to perform during initial connect. + # keyingtries = 1 + + # Connection uniqueness policy (never, no, keep or replace). + # unique = no + + # Time to schedule IKE reauthentication. + # reauth_time = 0s + + # Time to schedule IKE rekeying. + # rekey_time = 4h + + # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. + # over_time = 10% of rekey_time/reauth_time + + # Range of random time to subtract from rekey/reauth times. + # rand_time = over_time + + # Comma separated list of named IP pools. + # pools = + + # Default inbound XFRM interface ID for children. + # if_id_in = 0 + + # Default outbound XFRM interface ID for children. + # if_id_out = 0 + + # Whether this connection is a mediation connection. + # mediation = no + + # The name of the connection to mediate this connection through. + # mediated_by = + + # Identity under which the peer is registered at the mediation server. + # mediation_peer = + + # Section for a local authentication round. + local1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # Comma separated list of certificate candidates to use for + # authentication. + # certs = + + # Section for a certificate candidate to use for authentication. + # cert = + + # Comma separated list of raw public key candidates to use for + # authentication. + pubkeys = ssh_host_rsa_key.pub + + # Authentication to perform locally (pubkey, psk, xauth[-backend] or + # eap[-method]). + auth = pubkey + + # IKE identity to use for authentication round. + id = dd6c:fbfd:eeb8:4709 + + # Client EAP-Identity to use in EAP-Identity exchange and the EAP + # method. + # eap_id = id + + # Server side EAP-Identity to expect in the EAP method. + # aaa_id = remote-id + + # Client XAuth username used in the XAuth exchange. + # xauth_id = id + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + # Section for a remote authentication round. + remote1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # IKE identity to expect for authentication round. + #id = %any + id = "68.48.18.140" + + # Identity to use as peer identity during EAP authentication. + # eap_id = id + + # Authorization group memberships to require. + # groups = + + # Certificate policy OIDs the peer's certificate must have. + # cert_policy = + + # Comma separated list of certificate to accept for authentication. + # certs = + + # Section for a certificate to accept for authentication. + # cert = + + # Comma separated list of CA certificates to accept for + # authentication. + # cacerts = + + # Section for a CA certificate to accept for authentication. + # cacert = + + # Identity in CA certificate to accept for authentication. + # ca_id = + + # Comma separated list of raw public keys to accept for + # authentication. + pubkeys = andy.pub + + # Certificate revocation policy, (strict, ifuri or relaxed). + # revocation = relaxed + + # Authentication to expect from remote (pubkey, psk, xauth[-backend] + # or eap[-method]). + auth = pubkey + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + # cacert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA + # certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + children { + + # CHILD_SA configuration sub-section. + child1 { + + # AH proposals to offer for the CHILD_SA. + # ah_proposals = + + # ESP proposals to offer for the CHILD_SA. + # esp_proposals = default + + # Use incorrect 96-bit truncation for HMAC-SHA-256. + # sha256_96 = no + + # Local traffic selectors to include in CHILD_SA. + # local_ts = dynamic + + # Remote selectors to include in CHILD_SA. + remote_ts = 0::0/0 + + # Time to schedule CHILD_SA rekeying. + # rekey_time = 1h + + # Maximum lifetime before CHILD_SA gets closed, as time. + # life_time = rekey_time + 10% + + # Range of random time to subtract from rekey_time. + # rand_time = life_time - rekey_time + + # Number of bytes processed before initiating CHILD_SA rekeying. + # rekey_bytes = 0 + + # Maximum bytes processed before CHILD_SA gets closed. + # life_bytes = rekey_bytes + 10% + + # Range of random bytes to subtract from rekey_bytes. + # rand_bytes = life_bytes - rekey_bytes + + # Number of packets processed before initiating CHILD_SA + # rekeying. + # rekey_packets = 0 + + # Maximum number of packets processed before CHILD_SA gets + # closed. + # life_packets = rekey_packets + 10% + + # Range of random packets to subtract from packets_bytes. + # rand_packets = life_packets - rekey_packets + + # Updown script to invoke on CHILD_SA up and down events. + # updown = + + # Hostaccess variable to pass to updown script. + # hostaccess = no + + # IPsec Mode to establish (tunnel, transport, transport_proxy, + # beet, pass or drop). + mode = tunnel + + # Whether to install IPsec policies or not. + # policies = yes + + # Whether to install outbound FWD IPsec policies or not. + # policies_fwd_out = no + + # Action to perform on DPD timeout (clear, trap or restart). + dpd_action = restart + + # Enable IPComp compression before encryption. + # ipcomp = no + + # Timeout before closing CHILD_SA after inactivity. + # inactivity = 0s + + # Fixed reqid to use for this CHILD_SA. + # reqid = 0 + + # Optional fixed priority for IPsec policies. + # priority = 0 + + # Optional interface name to restrict IPsec policies. + # interface = + + # Netfilter mark and mask for input traffic. + # mark_in = 0/0x00000000 + + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + + # Netfilter mark and mask for output traffic. + # mark_out = 0/0x00000000 + + # Netfilter mark applied to packets after the inbound IPsec SA + # processed them. + # set_mark_in = 0/0x00000000 + + # Netfilter mark applied to packets after the outbound IPsec SA + # processed them. + # set_mark_out = 0/0x00000000 + + # Inbound XFRM interface ID. + # if_id_in = 0 + + # Outbound XFRM interface ID. + # if_id_out = 0 + + # Traffic Flow Confidentiality padding. + # tfc_padding = 0 + + # IPsec replay window to configure for this CHILD_SA. + # replay_window = 32 + + # Enable hardware offload for this CHILD_SA, if supported by the + # IPsec implementation. + # hw_offload = no + + # Whether to copy the DF bit to the outer IPv4 header in tunnel + # mode. + # copy_df = yes + + # Whether to copy the ECN header field to/from the outer IP + # header in tunnel mode. + # copy_ecn = yes + + # Whether to copy the DSCP header field to/from the outer IP + # header in tunnel mode. + # copy_dscp = out + + # Action to perform after loading the configuration (none, trap, + # start). + # start_action = none + + # Action to perform after a CHILD_SA gets closed (none, trap, + # start). + # close_action = none + + } + + } + + } + +} + +# Section defining secrets for IKE/EAP/XAuth authentication and private key +# decryption. +secrets { + + # EAP secret section for a specific secret. + # eap { + + # Value of the EAP/XAuth secret. + # secret = + + # Identity the EAP/XAuth secret belongs to. + # id = + + # } + + # XAuth secret section for a specific secret. + # xauth { + + # } + + # NTLM secret section for a specific secret. + # ntlm { + + # Value of the NTLM secret. + # secret = + + # Identity the NTLM secret belongs to. + # id = + + # } + + # IKE preshared secret section for a specific secret. + # ike { + + # Value of the IKE preshared secret. + # secret = + + # IKE identity the IKE preshared secret belongs to. + # id = + + # } + + # Postquantum Preshared Key (PPK) section for a specific secret. + # ppk { + + # Value of the PPK. + # secret = + + # PPK identity the PPK belongs to. + # id = + + # } + + # Private key decryption passphrase for a key in the private folder. + private1 { + + # File name in the private folder for which this passphrase should be + # used. + file = ssh_host_rsa_key + + # Value of decryption passphrase for private key. + # secret = + + } + + # Private key decryption passphrase for a key in the rsa folder. + # rsa { + + # File name in the rsa folder for which this passphrase should be used. + # file = + + # Value of decryption passphrase for RSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the ecdsa folder. + # ecdsa { + + # File name in the ecdsa folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for ECDSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the pkcs8 folder. + # pkcs8 { + + # File name in the pkcs8 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#8 key. + # secret = + + # } + + # PKCS#12 decryption passphrase for a container in the pkcs12 folder. + # pkcs12 { + + # File name in the pkcs12 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#12 container. + # secret = + + # } + + # Definition for a private key that's stored on a token/smartcard. + # token { + + # Hex-encoded CKA_ID of the private key on the token. + # handle = + + # Optional slot number to access the token. + # slot = + + # Optional PKCS#11 module name to access the token. + # module = + + # Optional PIN required to access the key on the token. If none is + # provided the user is prompted during an interactive --load-creds call. + # pin = + + # } + +} + +# Section defining named pools. +# pools { + + # Section defining a single pool with a unique name. + # { + + # Addresses allocated in pool. + # addrs = + + # Comma separated list of additional attributes from type . + # = + + # } + +# } + +# Section defining attributes of certification authorities. +# authorities { + + # Section defining a certification authority with a unique name. + # { + + # CA certificate belonging to the certification authority. + # cacert = + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # Comma-separated list of CRL distribution points. + # crl_uris = + + # Comma-separated list of OCSP URIs. + # ocsp_uris = + + # Defines the base URI for the Hash and URL feature supported by IKEv2. + # cert_uri_base = + + # } + +# } diff --git a/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh new file mode 100644 index 0000000..842cc0f --- /dev/null +++ b/notes/disable-outgoing-tcp-connections-through-ipv6-tunnel.sh @@ -0,0 +1,26 @@ +#!/bin/bash -xe +[ "$UID" = 0 ] || exec sudo -- "$0" "$@" || exit + +if [ "$1" = delete ] +then + ONLY_DELETE_RULES=y +fi + +ip6tables_add() +{ + ip6tables -D "$@" 2>/dev/null || : not deleted + ${ONLY_DELETE_RULES:+: not added -- } ip6tables -A "$@" +} +ip6rule_add() +{ + ip -6 rule delete "$@" 2>/dev/null || : not deleted + ${ONLY_DELETE_RULES:+: not added -- } ip -6 rule add "$@" +} + +mark=22 +ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j MARK --set-mark $mark +ip6tables_add OUTPUT -t mangle -p tcp --syn -m state --state NEW -j CONNMARK --save-mark +ip6tables_add OUTPUT -t mangle -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark +ip6rule_add fwmark $mark prohibit +ip6rule_add fwmark $mark table main +exit $? diff --git a/notes/gai.conf b/notes/gai.conf new file mode 100644 index 0000000..1a1770b --- /dev/null +++ b/notes/gai.conf @@ -0,0 +1,65 @@ +# Configuration for getaddrinfo(3). +# +# So far only configuration for the destination address sorting is needed. +# RFC 3484 governs the sorting. But the RFC also says that system +# administrators should be able to overwrite the defaults. This can be +# achieved here. +# +# All lines have an initial identifier specifying the option followed by +# up to two values. Information specified in this file replaces the +# default information. Complete absence of data of one kind causes the +# appropriate default information to be used. The supported commands include: +# +# reload +# If set to yes, each getaddrinfo(3) call will check whether this file +# changed and if necessary reload. This option should not really be +# used. There are possible runtime problems. The default is no. +# +# label +# Add another rule to the RFC 3484 label table. See section 2.1 in +# RFC 3484. The default is: +# +#label ::1/128 0 +#label ::/0 1 +#label 2002::/16 2 +#label ::/96 3 +#label ::ffff:0:0/96 4 +#label fec0::/10 5 +#label fc00::/7 6 +#label 2001:0::/32 7 +# +# This default differs from the tables given in RFC 3484 by handling +# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. +# The reason for this difference is that these addresses are never +# NATed while IPv4 site-local addresses most probably are. Given +# the precedence of IPv6 over IPv4 (see below) on machines having only +# site-local IPv4 and IPv6 addresses a lookup for a global address would +# see the IPv6 be preferred. The result is a long delay because the +# site-local IPv6 addresses cannot be used while the IPv4 address is +# (at least for the foreseeable future) NATed. We also treat Teredo +# tunnels special. +# +# precedence +# Add another rule to the RFC 3484 precedence table. See section 2.1 +# and 10.3 in RFC 3484. The default is: +# +precedence ::1/128 50 +precedence ::/0 40 +precedence 2002::/16 30 +precedence ::/96 20 +#precedence ::ffff:0:0/96 10 +# +# For sites which prefer IPv4 connections change the last line to +# +precedence ::ffff:0:0/96 100 + +# +# scopev4 +# Add another rule to the RFC 6724 scope table for IPv4 addresses. +# By default the scope IDs described in section 3.2 in RFC 6724 are +# used. Changing these defaults should hardly ever be necessary. +# The defaults are equivalent to: +# +#scopev4 ::ffff:169.254.0.0/112 2 +#scopev4 ::ffff:127.0.0.0/104 2 +#scopev4 ::ffff:0.0.0.0/96 14 diff --git a/notes/ipsec.conf b/notes/ipsec.conf new file mode 100644 index 0000000..82728d3 --- /dev/null +++ b/notes/ipsec.conf @@ -0,0 +1,41 @@ + +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no + +conn andy + type=tunnel + auto=add + left=%any + leftsourceip=%config + leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" + leftid=dd6c:fbfd:eeb8:4709 + right=%any + right=68.48.18.140 + #rightsubnet=2601:401:8200:2d4c::1/64 + rightsubnet=0::0/0 + rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start +#include /var/cache/kiki/config/ipsec.conf diff --git a/notes/ipsec.conf.empty b/notes/ipsec.conf.empty new file mode 100644 index 0000000..ff9cca2 --- /dev/null +++ b/notes/ipsec.conf.empty @@ -0,0 +1,5 @@ +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no -- cgit v1.2.3