[Anonymous]

🙄

So near yet so far… forgot the #

[Anonymous]

I am not sure. FYI, I am a graphic and web designer most of the time, network admin only by default!
Can you suggest which log(s) I should inspect in order to discover this information? In the “system software” log I noticed a 03:16 restart of syslogd. Thx.
-the Egg

[Anonymous]

Thanks Joel! That worked like a charm!

[Anonymous]

Thanks Joel I check it out.

Dom..

[Anonymous]

Not sure I understand how it is possible to give each virtual web a seperate IP address…. The Xserve only has 2 NIC interfaces…. 1 is on the WAN side of the network and the other on the LAN side of the network.

I could change one the the sites to the LAN IP address, but I am not sure what good this would do because that would make it not accessable from the WAN side of the network ??

Or am I missing something here ??

Thanks

[Anonymous]

does anyone have a copy of the files they used for startup?

Drop me an email. thanks alot

[email protected]

[Anonymous]

Just an update for the curious — the Airport base station was the culprit. Once I hooked up my LinkSys router and set up the Airport as just a WAP (not routing), I was able to tunnel in. Thanks again for all the help.

[Anonymous]

Thanks for the tip — I actually arrived at the same conclusion last night. The only thing that has me doubting is that my router is an Apple airport (older model), and I’ve been told that this configuration should work. I will be testing this theory tonight when I get home, as I also have a linksys router that does support IPSec passthrough. I’ll post a follow-up with the results.

[Anonymous]

I followed the “Flying racoons part 3” article to the letter. Here is the relevant stuff from the server log:

05/07/2003 16:17:12.848IKE negotiation complete. Adding IPSec SA. (Phase 2) 192.168.0.170 68.71.28.149 ESP:3DES, HMAC_SHA1, lifeSeconds=30 Local SPI:0x8cfe0f20 Remote SPI:0xdb20683

05/07/2003 16:17:12.848IKE Responder: Accepting IPSec proposal (Phase 2) 68.71.28.149 192.168.0.170 192.168.1.123/32 -> 192.168.10.0/24

05/07/2003 16:17:12.784IKE Responder: Received Quick Mode Request (Phase 2) 68.71.28.149 192.168.0.170

05/07/2003 16:17:12.784IKE Responder: Aggressive Mode complete (Phase 1) 68.71.28.149 192.168.0.170 3DES SHA1 Group 2 lifeSeconds=60

05/07/2003 16:17:12.672NAT Discovery : Peer IPSec Security Gateway doesn’t support VPN NAT Traversal 192.168.0.170 68.71.28.149

05/07/2003 16:17:12.384IKE Responder: Received Aggressive Mode request (Phase 1) 68.71.28.149 192.168.0.170

My internal IP here at home is 192.168.1.123. The remote private network is 192.168.10.0/24. Everything looks good, but I can’t ping or do anything — no NAT traversal (see log entry above).

Please send the beta to [email protected]. Thanks.

[Anonymous]

Oh, basically anything — ping, telnet, http — nothing works. All I get is this log entry on the server (VPN box). As I understand, if there is no NAT traversal, nothing will work (unsless I connect directly to my single IP). Is this correct, or am I confused?

Topology here at home is: OS X Jaguar 10.2.5 running on a 17″ Ti-book, wireless access using older Airport connected to my cable modem. I also have a Win2K box that works just fine with the VPN using SonicWall’s client software, and it is also wireless using the same Airport.

Thanks again for the help.

[Anonymous]

hello joel,

unfortunately I need the dns-services. I come up with another idea:

we have this equipment:
cablemodem -> zyxel router with nat -> every outside traffic goes to 192.168.0.3, the ip-address of our dns-/file-/mail-server. our domain is hosted outside the network. in the lan I use the same domainname as we have outside hostet by our provider. the mx-record points to the ip-address of the zyxelrouter. everything works fine.

my question is:
if I activate the firewall and configure the port 53 to allow access inside the network and only the ip-adress of the nameserver of our hostingprovider from outside, will our mail-server be accessible from outside?

I think, if somebody send me an email (e.g. [email protected]), his mail-server checks the nameserver of our hostingprovider, find the information, that mail.mydomain.com has the ipaddress x.x.x.x and sends then directly the email to our server. so if this mailserver sends the email, does he need our dns-server to reach the mailserver, or does his mailserver directly connect to our email-server?

or to ask generally: is there a reason, why our lan-dns-server should be reachable from the outside?

many thanks for your help in advance!

yours sincerely

ferdinand

[Anonymous]

As you know, with stunnel, you can use both port 143 and 993 for IMAP communication. After a LOT of tweaking with the config file, I finally managed to get stunnel to work correctly.

Here was my problem: I followed all the instructions on AFP for tunnel 4, I would run the program, and it acted as if everything was OK, no error, nothing.

Symptoms: I did the check they recommended (I forget what it was now) to check the port, and it passed, meaning that stunnel was good. Such is not that case: that is a bad too for diagnosing this setup.

What I did: I went into my stunnel config file and removed the # from the debugging lines. I reran the program and got this error towards the end:
[code:1:6d3e321a8c]
2003.05.04 18:00:23 LOG3[512:2684358124]: Error binding imaps to 0.0.0.0:993
2003.05.04 18:00:23 LOG3[512:2684358124]: bind: Address already in use (48)
[/code:1:6d3e321a8c]
Obviously the 0.0.0.0 was not a good thing. Keep in mind, this may have been happening due to a bad setup somewhere else. Regardless, i resolved the problem by going into the config file and making the following changes:
[code:1:6d3e321a8c]
[imaps]
accept = xxxxx.com:993
connect = xxxxxx.com:143
[/code:1:6d3e321a8c]
So essentially, just add you mail servers fully qualified domain name before the port. It will do a DNS lookup and will use your IP address for that domain.

So, I just reran stunnel, and bingo, secure tunneling is all good.

Hope this helps anyone who is having issues. Just as a side note: I tried apple’s weird way of securing connections with the keychain certs, and it just crapped out on me without ever starting to work. Oh well. Stunnel is working great and is totally secure now.[/code]

[Anonymous]

[quote:cf0c26a843=”sdevore”]Is it possible to use a ssh tunnel between two computers to activate rendezous?[/quote:cf0c26a843]

I don’t think so, you need to tunnel the ethernet packets (i.e., packets on a different OSI-level than the level SSH works on). However, I think it is possible to tunnel ethernet packets, but I don’t yet know how, I am looking into it…

[Anonymous]

you can CNAME xserver to ns1 and then CNAME a bunch of other things to xserver. Or you could set up another A record, but that is considered bad form.

[Anonymous]

For all Sonicwall users out there – make sure you have the latest firmware. VaporSec has been much more friendy with our SonicWall since the firmware upgrade.

[Author]

Posts