L2TP over IPsec on Cisco IOS

Written in the mid-afternoon in English • Tags: , , , , ,

I wanted to use the OS X VPN client to connect to my home network while on the road. I guess using an OS X server would be the easiest way to get a Mac-compatible VPN server up and running. Using a Cisco running IOS required quite a few lines of configuration.

The OS X VPN client provides terrible feedback. It will happily tell you that there was “no response from the VPN server” when in reality the server responds with a rejection of all the ISAKMP or IPsec transforms proposed by the client. Fortunately both the Cisco debugging messages and verbose output from tcpdump were quite helpful.

In about 3 hours I got it all working, including routing with other VRFs and DMVPN sites. (more…)

SHA-256 SSL certificates

Written late in the morning in English • Tags: , , ,

The technical details of an SSL certificate are up to the issuing CA, which is understandable. I was still surprised when my SHA-256 CSR resulted in a SHA-1 certificate back in April, when reissuing it due to heartbleed. But I didn’t pursue it at the time.

Now that Google announced sunsetting SHA-1-signed certificates by the end of the year, the issue became more pressing. Fortunately instructions for reissuing GeoTrust-based certificates — such as the RapidSSLonline ones — were already available. (more…)

How to create an L2TP IPsec tunnel to NetBSD so it works with your Android phone, iPhone or other iOS device, Mac OS X, and a bunch of other things as well.

Images, please

Written at lunch time in English • Tags: , ,

I’m following most web sites with Google Reader these days. With some sites I’ve noticed that images don’t show up in the reader interface. I figured this would be because the site is attempting to protect against hot-linking to its resources — and it seems I was right.

The quick fix with Firefox is to disable sending referer-information for inlined images. You can do this in about:config by changing the value of network.http.sendRefererHeader to 1.

While there, I also changed network.http.sendSecureXSiteReferrer to false. This prevents referer-information from being sent between different secure sites.

Disabling temporary IPv6 addresses

Written early in the evening in English • Tags: , ,

I never seem to be able to remember this, and somehow I end up with new Windows installations without this change:

netsh interface ipv6 set privacy state=disable

This will disable temporary IPv6 addresses. These are especially nasty on desktop systems, where the address will expire from under you. If you find yourself having to restart your SSH terminal connections every 14 hours to 6 days, this is why (as far as I can tell).

I really don’t buy the privacy aspect of generating random IP addresses. If you worry about eavesdropping, encrypt your traffic. If you worry about someone tracking your traffic patterns, stop browsing those questionable sites. :)

USA requires biometrics

Written late at night in English • Tags:

I’ve been reading about the new passport requirements the USA is making of visa-less visitors, and now there was an article about it in Hesari. I guess I should plan to return for a visit before my passport expires in 2007.

Unless they implement the plan to issue RFID tags to all foreigners for automatic tracking. Traveling is supposed to be something you do for fun, and I don’t consider wearing an electronic ankle bracelet much fun. I guess plan B is to meet all my American friends in Montreal or Vancouver.

Avoid being harvested

Written in the wee hours in English • Tags: , ,

Given that I’ve successfully avoided spam by using me at example dot com as an “obfuscation” method for email addresses, I’m not surprised by the findings that spammers are lazy. But it is still interesting to read about good proof through a real test, and I’d hazard a guess that using hex entities may be a longer-lasting method.

I’d consider replacing the JavaScript I currently use, if it weren’t for the fact that people already seem to be able to find my email address just fine. Actually, Phil’s article would seem to support the case that disabling JavaScript is rare. He only got a couple of actual messages to the non-JavaScript address. I guess that’s good news for me.

Rajaton Internet

Kirjoitettu alkuillasta suomeksi • Tägit: , ,

Ei ole ollenkaan uusi ajatus, että tuleva työnantaja kirjoittaa työnhakijan nimen Googleen ja muodostaa sitä kautta palkkaamispäätökseen vaikuttavia mielipiteitä. Kuitenkin useimmilla ihmisillä on selvä raja yksityisen elämän ja työelämän välillä. Yksityiselämän asiat eivät kuulu työpaikalle, ja työelämän asioitakin tavallisesti pyritään pitämään poissa kotielämästä. Internetissä tämä raja helposti hämärtyy — on liian helppoa nähdä kumpikin elämä samalla kertaa hakukoneiden avulla. (jatkuu…)

Updated Privoxy

Written at lunch time in English • Tags: , , ,

I have new versions of Firefox running on my computers, and I was busy adding block images rules on each one. I thought this was less than ideal, so I decided to give Privoxy a new try. I saw that a new version is out, so I updated the www/privoxy package as well. Apart from getting more up-to-date filters, there’s a memory leak fix and I could also enable threads for parallel request handling.