Strongswan stops talking to RW Client #1 when RW Client #2 connects

I’ve only realised this one when i was using my laptop, then tried to connect to the same resource from my mobile phone.

Symptoms

Road warrior client #1 cannot access any information down the VPN tunnel after road warrior client #2 connects. Road warrior client #2 may be able to communicate OK.

Cause

A rogue statement in ipsec.conf is applying the wrong subnet filter to road warrior connections. This can be confirmed by running “strongswan status”.

[root@PC ~]# strongswan status
Security Associations (2 up, 0 connecting):
rw-eap[48]: ESTABLISHED 106 seconds ago, 192.nnn.nnn.nnn[3.samelms.co.uk]...46.233.nnn.nnn[My_Laptop]
rw-eap{198}: INSTALLED, TUNNEL, reqid 37, ESP in UDP SPIs:
rw-eap{198}: 0.0.0.0/0 === 192.168.6.0/24
rw-eap[47]: ESTABLISHED 4 minutes ago, 192.nnn.nnn.nnn[3.samelms.co.uk]...85.255.nnn.nnn[My_Mobile]
rw-eap{197}: INSTALLED, TUNNEL, reqid 37, ESP in UDP SPIs:
rw-eap{197}: 0.0.0.0/0 === 192.168.6.0/24

See the 192.168.6.0/24 represents a whole subnet behind the client. This is wrong, it should be my.ip.v4.address/32

Resolution

Hash the following statement from ipsec.conf

rightsubnet=192.168.6.0/24

And restart strongswan. Strongswan Status should now look something like

[root@PC ~]# strongswan status
Security Associations (2 up, 0 connecting):
rw-eap[3]: ESTABLISHED 103 seconds ago, 192.nnn.nnn.nnn[3.samelms.co.uk]…85.255.nnn.nnn[My_Mobile]
rw-eap{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
rw-eap{3}: 0.0.0.0/0 === 192.168.6.11/32
rw-eap[2]: ESTABLISHED 2 minutes ago, 192.nnn.nnn.nnn[3.samelms.co.uk]…46.233.nnn.nnn[My_Laptop]
rw-eap{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
rw-eap{2}: 0.0.0.0/0 === 192.168.6.12/32

This can be confirmed by accessing resources on the host network from each of the road warriors simultaneously.

Cisco SPA3102 settings for UK PSTN

A great unit even if it is 10 year old tech, only £20ish on eBay. However it comes with international settings as default. International dial tones and lack of disconnect supervision could result in a difficult and expensive situation for users.

I’ve applied the following settings for UK use. There are many more settings which could be changed – I’ve just not had the need to use the features needing these tones yet.

Dial Tone
350@-19,440@-19;10(*/0/1+2)
Outside Dial Tone
340@-19,430@-19;10(*/0/1+2)

 

Full details are in the manual, here

https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/csbpvga/ata/administration/guide/ATA_AG_v3_NC-WEB.pdf

FreePBX Error “Can Not Connect to Asterisk”

I’ve been getting an error when trying to administer Asterisk through FreePBX. Asterisk logfiles would only indicate that there was an authentication error every time I loaded the FreePBX GUI. This has prompted me to want to change the password used by FreePBX when communicating with the AMI. After trawling through many many .conf files, I discovered FreePBX in my case was getting the AMI credentials from the Asterisk MariaDB table shown below.

I had to install HeidiSQL on my windows desktop, and make changes to the database permissions to allow connections from my local subnet.

mysql asterisk

GRANT ALL PRIVILEGES ON *.* TO 'sam'@'192.168.%.%' IDENTIFIED BY 'New Password' WITH GRANT OPTION;

After this, I could login, but not update settings. To resolve run

/var/lib/asterisk/bin/retrieve_conf

Which returns

Exception: Unable to locate the FreePBX BMO Class 'Sipsettings'A required module might be disabled or uninstalled. Recommended steps (run from the CLI): 1) fwconsole ma install sipsettings 2) fwconsole ma enable sipsettings in file /var/www/html/admin/libraries/BMO/Self_Helper.class.php on line 216
Stack trace:
1. Exception->() /var/www/html/admin/libraries/BMO/Self_Helper.class.php:216
2. FreePBX\Self_Helper->loadObject() /var/www/html/admin/libraries/BMO/Self_Helper.class.php:104
3. FreePBX\Self_Helper->autoLoad() /var/www/html/admin/libraries/BMO/Self_Helper.class.php:37
4. FreePBX\Self_Helper->__get() /var/www/html/admin/modules/core/functions.inc/drivers/PJSip.class.php:860
5. FreePBX\modules\Core\Drivers\PJSip->generateEndpoints() /var/www/html/admin/modules/core/functions.inc/drivers/PJSip.class.php:313
6. FreePBX\modules\Core\Drivers\PJSip->genConfig() /var/www/html/admin/modules/core/Core.class.php:204
7. FreePBX\modules\Core->genConfig() /var/www/html/admin/libraries/BMO/FileHooks.class.php:97
8. FreePBX\FileHooks->processNewHooks() /var/www/html/admin/libraries/BMO/FileHooks.class.php:26
9. FreePBX\FileHooks->processFileHooks() /var/lib/asterisk/bin/retrieve_conf:892

So
fwconsole ma install sipsettings
fwconsole ma enable sipsettings in file /var/www/html/admin/libraries/BMO/Self_Helper.class.php on line 216

And the dashboard works!
…still getting errors when trying to reload config.

chkconfig asterisk off
fwconsole start

FreePBX settings for Draytel

Its taken a few hours work, but the below settings seem to work for incoming calls on Draytel to my Asterisk installation


PEER DETAILS

username=MYUSERNAME
usereqphone=yes
type=friend
secret=MYPASSWORD
port=5065
outboundproxy=nat.draytel.org
host=draytel.org
fromuser=MYUSERNAME
fromdomain=draytel.org
dtmfmode=rfc2833
context=from-trunk
canreinvite=no
allow=alaw,g711,ulaw

REGISTRATION STRING

MYUSERNAME:MYPASSWORD:MYUSERNAME@draytel.org/MYUSERNAME

These are loosely based on the settings described here:
https://support.voiptalk.org/hc/en-us/articles/115006438427-Configuration-of-a-FreePBX-with-a-VoIPtalk-trunk

Changing Network Interface on Centos

Now I’ve got wired connectivity into the basement, I dont need to have the uplink between the comms pc and the router on Wifi. The interface shown here as wlp3s0 will now be called eth1

 

This article basically describes the process

https://unix.stackexchange.com/questions/205010/centos-7-rename-network-interface-without-rebooting/219277

 

However, I’ll also need to change the /etc/sysconfig/network-scripts/ifcfg-eth1 file to contain the IP address previously assigned to wlp3s0, and run

ip link set dev wlp3s0 down
service network restart

This is to ensure that incoming requests from the internet hit the new adapter, not the old one, which may be reassigned to something else later on.

Next, I’ll need to check firewalld has kept up with the changes

firewall-cmd --get-active-zones

and check eth1 is in the external zone

External IP Reporting from CENTOS

Much like my PHP example of external IP reporting, the following script performs exactly the same task, but in Centos. This combined with creating a custom system service should provide dynamic IP resolution even if the PC reboots.


#!/bin/bash
i=1
while [ $i == 1 ]
do
datestring=$(date –utc +%FT%TZ)
ipfile=”myip.txt”
ipdir=”/var/manage/”
logfile=/var/manage/myiplog.txt
oldip=$(cat $ipdir$ipfile)
echo “Getting IP… ”
wanip=$(dig +short EXTERNAL IP RESOLVER ADDRESS)
#if [ 1 -ne 1 ]
if [ $oldip != $wanip ]
then
echo My IP has changed! Saving change to file…
echo $wanip > $ipdir$ipfile
echo Connecting to FTP server…
lftp -u FTP_USERNAME,FTP_PASSWORD FTP_SITE -e ” lcd $ipdir; put $i$
echo Writing log…
echo “$datestring IP changed to $wanip” >> $logfile
echo Log written!
else
echo My IP is the same!
fi
echo Sleeping for 5 mins…
sleep 300s
done

Automatic External IP Reporting from Windows

Its become very annoying, since most dynamic hostname services have changed to paid-for services, to keep loosing connectivity with satellite sites because their IP has changed.

As a work-around, I’ve set my windows web server (which already runs PHP) to report back to my paid hosting provider, what its current IP is. This linked with cron jobs with the hosting provider, should be able to update my satellite site IPs in DNS without any human intervention.

The following PHP resolves the IP from a text to browser IP recognition site (similar to googling “what is my IP”, but here is returned as a plain text file), checks for changes since the last time the script was run, then uploads the new IP to the root DNS site. It checks every 5 minutes, but this delay can be adjusted, and also reports what it has been doing to a local log file.

<?PHP
$i = 1;
while($i == 1){
$datestring = date('c');
$ipfile = "c:\manage\myip.txt";
$logfile = "c:\manage\myiplog.txt";
$remotefile = "myip.txt";
$oldip = file_get_contents($ipfile);
echo "Getting IP... \n";
$externalContent = file_get_contents('INSERT IP RESOLVER HERE');
preg_match('/Current IP Address: \[?([:.0-9a-fA-F]+)\]?/', $externalContent, $m);
if($oldip != $m[1]){
echo "My IP has changed! Saving Change to file... \n";
file_put_contents($ipfile, $m[1]);
echo "Connecting to FTP server... \n";
$conn_id = ftp_connect("MY FTP SERVER");
echo "Authenticating... \n";
$login_result = ftp_login($conn_id, "FTP USERNAME", "FTP PASSWORD");
echo "Uploading... \n";
if (ftp_put($conn_id, $remotefile, $ipfile, FTP_ASCII)) {
echo "Successfully Uploaded File... \n";
$ftpresult = " upload OK";
}
ftp_close($conn_id);
echo "Writing Log... ";
$longstring = $datestring." IP changed to ".$m[1].$ftpresult;
file_put_contents($logfile, $longstring, FILE_APPEND | LOCK_EX);
} else {
echo"My IP is the same! \nSleeping for 5 mins... \n";
}
sleep(300);
}
?>

Setting up dhcpd for TFTP

I need to tell my TFTP enabled clients about the TFTP server hosted on another site. Without this I wont be able to continue working on my SIP on Cisco handsets project (Not yet mentioned on here).

TFTPD can do this, although you have to declare the variable in the config file before you can reference it – unlike the standard options which do not require declaring. The following is at the top of the config file.

/etc/dhcp/dhcpd.conf

option tftp150 code 150 = array of ip-address; 
option tftp66 code 66 = array of ip-address;

Unlike the declarations used in some examples, I’m using an array, in the hope that my devices can automatically work-around a failure of the VPN. The next extract is from within the subnet declaration.

/etc/dhcp/dhcpd.conf

option tftp150 192.158.0.100, [other site fqdn];

option tftp66 192.168.0.100, [other site fqdn];

Station Departure Board for the office

So, at about 5:15 each day, about everyone who works in our office start looking for the departures from the local TFL overground station. Via the National Rail website, this information can be found, although gives you a lot of options which wont be relevant to the regular commutor

National Rail Live Departures on a PC screen. No, I don’t want to know about traintracker, or register for an account!

Via national rail, the actual information occupies probably less than half of the screen space. If you are viewing this on a mobile device its very small. If you are viewing this on any device, and suspect you are about to miss a train this is also very inconvenient!

 

National Rail Live Departures on an emulated mobile screen

When you arrive at the train station however, they seem to have got (usually) the array of information about right. Although our station has a low canopy and little platform space (for the patronage), you aren’t offered endless options on-screen for services you don’t want. Therefore:

Why cant we have a simple display in the office?

Maybe… Something like this?

Ok, so I’ve answered this question for myself already, with the live departure board I setup for my old house, however the application remains the same – How can I get live departure information displayed in a custom format?

Fortunately National Rail have already thought about this. They provide a number of ways to access their live running information, in an API nobody knows much about. Railalefan has created a class to attempt to simplify calls to the API, this is extremely useful. However doesn’t solve the issue of field keys changing dynamically, without any documentation. This makes any UI written look extremely buggy over time, with most errors occurring either at the beginning or end of the day (When there are less trains around), or when there are delays and cancellations (When additional fields appear, or disappear).

The process of identifying which fields appear and disappear has therefore been mainly trial and error, most of which was done whilst making the predecessor system to this one, which was used at home.

Adding in TFL Updates

Unfortunately, for whatever political reason (probably) the live running information at Gunnersbury seems to be a little unreliable

Next Upminster service in 1128 minutes?
Disruption between XX and YY?

So, for our departure board in the office to be any use, it also needs to show TFL’s live running information to stand any chance of showing line suspensions when DARWIN hasn’t been updated.

TFL provide a variety of information via their API, which is a little better documented here. The Line Status response which we are interested in is provided in XML, and include some useful fields which can be used in conjunction with CSS to change how the page is displayed based upon how tube lines are performing.

So the final part is to compile each of the different displays into divs, then use the  zIndex property combined with some javascript to switch round the displays based on a timed rotation.  Trying to get javascript to pause for a while, in the same way PHP can has proven to be a bit of a pain. Basically, the function doesn’t exist, so there are ample work-arounds, but the closest I found of any use was “setTimeout(Action, Delay (ms))”.