Wanted to throw out WPA for several reasons, I switched to IPSEC for my wireless network which includes a Windows XP machine… This is just a quick reference for myself so I don’t have to figure it out all over again when I add a Windows machine to the network.

On the Freeswan box

• Edit openssl config to increase number of bits and expiry time.
• Use CA.sh to create a root certificate. (by default in ./demoCA)
• Lower expiry time back down a bit in openssl config.
• Create a new client (and also one for the server) certificate: CA.sh -newreq (use a pass phrase)
• Sign this certificate: CA.sh -sign
• Rename newcert.pem to something client specific (clientcert.pem in this example). (You might also want to keep newreq.pem..)
• Create a PKCS12 file for Windows: openssl pkcs12 -export -in clientcert.pem -inkey newreq.pem -certfile demoCA/cacert.pem -out client.p12
• Extract the subject, you’ll need it for ipsec.conf: openssl x509 -in clientcert.pem -inform pem -noout -subject

Put stuff in ipsec.conf:

config setup
    interfaces="ipsec0=eth1″
    klipsdebug=none
    plutodebug=control
    plutoload=%search
    plutostart=%search
    uniqueids=yes

conn %default
    keylife=70m
    keyingtries=3
    disablearrivalcheck=no
    authby=rsasig
    ike=aes-md5,aes-sha,3des-md5,3des-sha
    esp=aes128-md5,aes128-sha1,3des-md5,3des-sha1
    dpddelay=120
    dpdtimeout=370
    dpdaction=clear
    compress=yes
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn client
    right=192.168.1.12
    rightid="C=NL, ST=NH, L=PURMEREND, O=NiElS, OU=CLIENT, CN=Niels Peen, E=ni
    els@peen.net”
    rightca="/C=NL/ST=NH/L=PURMEREND/O=NiElS/CN=Niels Peen/E=niels@peen.net”
    left=192.168.1.9
    leftsubnet=0.0.0.0/0
    leftcert=/etc/ipsec.d/certs/servercert.pem
    leftca=%same
    pfs=yes

You will notice that in the subject emailAddress has been replace with E.

On the Windows box

• (Win)SCP the P12 file to the Windows machine.
• Start “MMC”
• You begin with an empty console. Now add some plugins: (names may vary as I translate them from the Dutch Windows version)
• Certificates -> Computer Account -> Local machine
• Certificates -> User Account
• IP Security Monitor
• IP Policy Management -> This Computer

You now have a useful MMC profile. Save it.

• Go to Certificates (Local machine), right click -> All tasks -> Import
• Now import the P12 file, it will ask you for the password. Turn on the exportable option and set the archive to “automatic”. Your certificate should now be imported.
• Now we’ll create a security policy.
• Give it a name, like “ipsec all traffic”.
• Disable the default rule and the the properties dialog pop-up.

We now have a rules Window. * Disable the Wizard.

We’ll be adding two rules. One for client to server and one for server to client. I’ll describe one procedure. The differences are only the Source an Destination address and the Tunnel endpoint. This will make sense once you run into them :)

• Add a rule. (assuming client to server).
• In filter tab, add a filter.
• Disable wizard.
• Name it “client to server”.
• Hit “add”.
• Set Source to “My address”, set Destination to “Any address” and disable mirroring.
• In the description type “client to server”, and close the filter properties dialog and the rule properties dialog. Select the just made filter.
• Go to filter action tab. Disable Wizard and hit “Add”. We only do this one once, you can use it in both the “client to server” and the “server to client” rules.
• Select “Negotiate” and hit Add.
• Select “Custom” and configure it for SHA1, 3DES. Turn off AH. Turn on the session key settings. Defaults are fine. Close dialogs until we’re back in filter properties. Turn off non-secure traffic and enable PFS.
• In the general tab, name this “ipsec crypto”. Close dialog.
• Back in the filter action tab select the just made “ipsec crypto”.
• Go to verification methods. Add one using our imported certificate. Remove kerberos.
• Set type of connection to “All”.
• Set tunnel endpoint to the servers address.

Now do the same for a server to client rule. Back in first dialog, go to the common tab and enable PFS using the Advanced button.

Back in MMC enable the ipsec all traffic policy. Encryption should now take place!

Link to outdated resume has been removed.

Since I had to dig up my resume anyway, I've put it [online].

For those of you buying an Acer Travelmate 634LC I've put online some info on having it run Debian GNU Linux. Not as fast as my Medion laptop but it's more power efficient and has a bigger screen (15.1" 1400x1050).

Quickspecs

• Mobile Pentium IV 1.8GHz
• ALI Chipset
• 15.1" TFT
• 32MB videocard with TV-Out
• 512MB DDR RAM
• 30GB HDD
• DVD/CDRW
• 3 hour battery
• 56K modem
• 10/100Mbit Ethernet
• Firewire
• SmartCard
• CardBus/PCMCIA
• Acer port replicator
• Infared

The longer specs, and how to get stuff working (Using Debian GNU/Linux and Kernel 2.4.19):

Audio: The normal kernel driver complains about interrupts. The ALSA driver however works great. Load snd-ali5451, snd-mixer-oss, snd-pcm-oss.

Modem: Haven't tried the modem yet, but it's supposed to be a Lucent Winmodem if you want to try.

Network: Works great with the standard 8139too driver in de 2.4.19 kernel.

Firewire: Use the OHCI kernel driver and it seems to work. I have no actual firewire equipment to test it though.

USB: (v1.1) Also use OHCI driver to get this running. Works fine.

IDE Controller: Use the ALI15xx IDE driver. Works ok. Needed hdparm to turn on 32-bit mode; DMA mode is on by default. I run:

hdparm -c 1 -u 1 /dev/hda

on boot.

PCMCIA/CardBus/SmartCard: The CardBus/PCMCIA part works fine with the standard CardBus driver. The laptop also has a smartcard reader. O2 Micro however stopped their Linux support for the smartcard reader. Make sure to send them a friendly email to complain about that. They did supply me with (useless to me) binary drivers for RedHat 6.2. (Read this.)

Video: I downloaded the AGP and XFree driver from the nVidia site. They work great, including OpenGL and TV-Out. Keep in mind that the nVidia X driver is called 'nvidia' and not 'nv' like the original X driver. 1400x1050 sure is a lot more useful than 1024x768 :)

IRDA: Worked using the SIR drivers (loading irtty, ircomm-tty and ircomm). Could not get the ALI FIR driver to work.

ACPI: The ACPI in kernel 2.4.19 has problems shutting the machine down. I used a patch for 2.4.19 from http://sourceforge.net/projects/acpi. (Make sure to reconfigure the kernel.)

APM: Suppose it could work. I prefer using ACPI.

Touchpad: I used the synaptics driver from mobilix.org. Works great.

DVD/CDRW: IDE DVD-player and CD (Re)Writer. Configure kernel for SCSI emulation to use the writing features. Also put append="hdc=ide-scsi" in your lilo.conf.

Some output for those interested:

00:00.0 Host bridge: Acer Laboratories Inc. [ALi] M1671 Northbridge
[Aladdin-P4] (rev 02)
00:01.0 PCI bridge: Acer Laboratories Inc. [ALi] PCI to AGP Controller
00:06.0 Multimedia audio controller: Acer Laboratories Inc. [ALi] M5451 PCI
AC-Link Controller Audio Device (rev 02)
00:07.0 ISA bridge: Acer Laboratories Inc. [ALi] M1533 PCI to ISA Bridge
[Aladdin IV]
00:08.0 Modem: Acer Laboratories Inc. [ALi] M5457 AC-Link Modem Interface
Controller
00:0a.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C
(rev 10)
00:0b.0 FireWire (IEEE 1394): VIA Technologies, Inc. IEEE 1394 Host
Controller (rev 46)
00:0f.0 USB Controller: Acer Laboratories Inc. [ALi] USB 1.1 Controller (rev
03)
00:10.0 IDE interface: Acer Laboratories Inc. [ALi] M5229 IDE (rev c4)
00:11.0 Bridge: Acer Laboratories Inc. [ALi] M7101 PMU
00:13.0 CardBus bridge: O2 Micro, Inc. OZ6933 Cardbus Controller (rev 02)
00:13.1 CardBus bridge: O2 Micro, Inc. OZ6933 Cardbus Controller (rev 02)
00:14.0 USB Controller: Acer Laboratories Inc. [ALi] USB 1.1 Controller (rev
03)
01:00.0 VGA compatible controller: nVidia Corporation NV11 [GeForce2 Go]
(rev b2)