Recent blog entries for walpuski

Dan Melomedman encouraged me to publish my patch for PHP with fnord and diet libc. I've also put the source code of a HTTP authentication module for fnord and a «small» (read: no features, just loading modules with or without options, nothing more, nothing less) insmod for Linux 2.5.x on the web.

P.S.: My patch for isakmpd on Linux 2.5.x was mentioned in a article by Ralf Spenneberg about IPsec in Linux 2.5.x. in the Linux-Magazin. There might also be a chapter about using isakmpd on Linux 2.5.x in Ralfs new book «VPN mit Linux».

Last night Hakan Olsson commited a slightly modified version of my patch for isakmpd on Linux 2.5 to CVS. You might be interested in this small howto about building isakmpd for Linux 2.5.

This week I've installed a recent development kernel, which has a nice IPsec implementation (much better than FreeS/WAN). At the moment you have to use KAME's IKE daemon racoon for automagical keying. A PFKEYv2 interface to xfrm has been developed especially therefore. The native user interface to xfrm via NETLINK has some bugs (fix) . Today I've done a port of isakmpd to Linux 2.5.Some testing has already been done (5 hours stress test with very much rekeying), but I think it could use some more (hint!).

My code to enable SET/ACK IKE Mode Config (see below) has been commited to CVS.

Long time ago I wrote some code to support SET/ACK IKE Mode Config for isakmpd when acting as responder, i.e. VPN-gateway et.al., which has not been completly functional, because of some strange side-effect in isakmpd. Today due to "inspiration" by Clemens Draschl and Ralf Hornik I've tested the code with a recent CVS version of isakmpd and it worked! Get the patch!

Someone eagerly demanded a version of ldapclient with LDAP Search Filter support. So others also might be interested in this patch. After applying it you can do such nifty things as the following (or even more complicated stuff):

thomas@tyr:~/src/tinyldap$ ./ldapclient 130.157.5.18 \
> 'o=Sonoma State University, C=US' \
> '(&(cn=S*t*e*)(description=*Professor*)(!(description=*History*)))' \
> cn mail description
requesting mail
requesting description
[..]

About a month ago I finished writing my "Seminarfacharbeit" about "Sicherere latenzarme Kommunikationswege mit IPsec" (Get it!).

Also sometime ago Fefe accepted my scan_ldapsearchfilterstring for tinyldap. It parses LDAP Search Filters. I guess there will be a more versatile ldapclient in tinyldap really soon. This will nearly eliminate the need for OpenLDAP's ldapsearch ;-).

This week my CRL support for isakmpd has made it into OpenBSD's CVS :-). It makes the use of isakmpd in very large VPN scenarios more feasible.

At the moment I'm also thinking about writing a small HTTP proxy, which allows proxy-chaining and external filters. Squid is too heavyweight for my purpose.