Networking

  •  

    Issue with VPN servers only proposing IPsec IKEv1 weak legacy algorithms

    There is a general consensus that the following legacy algorithms are now considered weak or broken in regards to security and should be phased out and replaced with stronger algorithms.

    Encryption Algorithms :

    3DES
    Blowfish

    Integrity Algorithms :

    MD5
    SHA1

    Diffie Hellman Groups :

    MODP768
    MODP1024
    MODP1536

    Legacy algorithms that are considered weak or broken are regularly removed from the default set of allowed algorithms with newer releases of strongSwan and Libreswan.

    As of strongSwan 5.4.0 and Libreswan 3.20, the above algorithms (apart from SHA1 and MODP1536 for Libreswan which still includes them for backwards compatibility) have been or in some cases already been removed from the default set of allowed algorithms.

    If you are not sure which IKEv1 algorithms your VPN server uses, you can query the VPN server with the ike-scan.sh script located in the IPsec IKEv1 algorithms section of the Wiki :

    https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

    If the VPN server is only proposing weak or broken algorithms, it is recommended that it be reconfigured to propose stronger algorithms, e.g. AES, SHA2 and MODP2048.

    If for some reason the VPN server cannot be reconfigured and you are not too concerned about security, for a workaround, user specified phase 1 (ike) and phase 2 (esp) algorithms can be specified in the IPsec Options dialog box in the Advanced section. See the following example and the IPsec IKEv1 algorithms section of the Wiki for more details :

    https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues


    Example workaround for 3DES, SHA1 and MODP1024 broken algorithms


    Unfortunately there are many L2TP/IPsec VPN servers still offering only 3DES, SHA1 and MODP1024. One of the main reasons possibly for this is because it is the default Microsoft has offered with their L2TP/IPsec VPN servers since the days Windows XP was the main client.

    If you are using strongSwan for IPsec client support, enter the following in the corresponding IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1-modp1024
    Phase2 Algorithms : 3des-sha1

    If you are using Libreswan >= 3.20 for IPsec client support, enter the following in the IPsec Options dialog box advanced section:

    Phase1 Algorithms : 3des-sha1;modp1024
    Phase2 Algorithms : 3des-sha1

  • Recent KB4480970, KB4480968 updates for Windows 7, 2008 r2 server are breaking access to SMBv2 shares.

    The fix is a registry entry (run in 'cmd' as administrator):

    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

    The effect is immediate - no reboot required.
     
    Alternatively, install this later Microsoft Update (KB4487345) to fix the problem:
     
  • To create a bridge over bonded network interfaces in RHEL/CentOS 7.3 and above use the following nmcli commands:
     
     
    # nmcli c add type bridge ifname bridge0 con-name bridge-bridge0
    # nmcli c add type bond ifname bond0 con-name bridge-slave-bond0 master bridge-bridge0 type bond_type
    # nmcli c add type ethernet ifname interface1 con-name bond-slave-interface1 master bond0
    # nmcli c add type ethernet ifname interface2 con-name bond-slave-interface2 master bond0
     
    Notes:
    1. Make sure you use the correct/appropriate bond_type (see this page for details regarding bonding and KVM hosts and guests network connectivity: https://access.redhat.com/solutions/67546)
    2. Bonding apparently works (better?) than Teaming on a KVM host.
    3. Original set of instructions found at the bottom of 'Bug 1183420' on RedHat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183420
  • Ubiquiti's stringent password requirements, when running the first-time-wizard, can be a pain on their UniFI controller. When installing the controller for the first time, satisfy the requirements when the wizard asks you to, knowing that you can run the following cmds to get the password back to something you actually want :-)
     
    Linux-based Ubiquiti Unifi Wireless Controller
     
    ♦ To create a salted, hashed password, do one of the following
     
    • For Ubuntu/Debian based distros, use the mkpasswd utility ('whois' pkg on Debian/Ubuntu):
      mkpasswd -m sha-512
    • For RHEL/CentOS/Fedora/ based distros, use python:
      python -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw), crypt.mksalt(crypt.METHOD_SHA512) if (pw==getpass.getpass("Confirm: ")) else exit())'
     
    ♦ To show the list of admins/users:
    mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"
     
     
    ♦ To update the password in the mongodb database for UniFI (replacing [USERNAME] with the appropriate username and [HASHED_PASSWORD] with the result from the password generation utility).:
    mongo --port 27117 ace --eval 'db.admin.update( { "name" : "[USERNAME]"}, { $set : { "x_shadow" : "[HASHED_PASSWORD]" } } )'