Lukas Beeler's IT Blog

I’ve been using OpenVPN for a few years on Linux to establish site to site VPNs. It has never let me down, and i was always able to get the configuration working in the way I wanted it, without much effort and fiddling. Another nice ability of OpenVPN is that it can work it’s way through almost any firewall, which can be especially nice when working with restricted internet access.

A few days ago, i’ve got into a situation where I needed to get to a site to site VPN up as quickly as possible, behind a restrictive firewall. I’ve started with the obvious route, and found a few resources referring to OpenVPN on the net.

One of them is the OpenVPN GUI, which is mostly aimed at roadwarrior scenarios. The Windows installation notes and the Windows section in the howto are quite sparse. As such, my expectations weren’t high.

Installing OpenVPN results in the creation of a virtual ethernet adapter, that’s backed by the TAP driver (which is not signed). The install went fine, and configuration was the same as on Linux.

The Windows installer automatically installs as service that defaults to a disabled state, which when started launches OpenVPN for all *.ovpn files in %ProgramFiles%\OpenVPN\config. Simple, but efficient. Logs get written to %ProgramFiles%\OpenVPN\log.

After creating an appropriate configuration, i put it into the config dir, started the service, and everything just worked. Right out of the box. Without thinkering. Without error messages. It just worked.

As such, the application clearly shows it’s Linux/Unix origin, but it works nicely. Windows administrators that have never worked with a unix-like operating system might be put off by the application. I would still suggest everyone to take a look at OpenVPN for some low cost VPN improvisations.

Today i’ve encountered a very interesting problem that’s very hard to track down exactly.

A small business customer was running an Exchange 2003 server behind a ZyXEL ZyWALL 5 with AntiSpam installed and enabled. The ZyWALL forwarded port 25 to the Exchange server. This worked, for the most, flawlessly. But a few hosts (i’ve found no distinct differences between the source hosts – ADSL, Leased Lines, Colocated, Europe, USA) failed to get an SMTP greeting (220 customer.example.com Microsoft ESMTP MAIL Service, Version: 6.0.xx ready at Thu, xx Sep 2007 xx:xx:xx +0200).

When i disabled the Anti-Spam and pressed enter (in a telnet session to port 25), the SMTP greeting appeared. If anti-spam was enabled, it never appeared. But that didn’t help – Postfix still couldn’t send mails:

postfix/smtp[25010]: C65AA88075: conversation with customer.example.com[256.256.256.256] timed out while receiving the initial server greeting

I’ve looked at every setting on both the ZyWALL and the Exchange server, but didn’t find any unusual DNS etc. setting. I even disabled all the DNS lookups done on the Exchange server, but to no avail.

But after upgrading the ZyXEL ZyWALL 5′s firmware to the latest version (V4.02(XD.2)), the problem disappeared. While this wasn’t exactly what i was hoping for, at least the problem was now solved.

Yesterday i wrote about a simple but important error that Hostpoint had with their IMAP servers.

One would assume that such a problem would be fixed in no time, since it obviously affects many customers. Even though i was able to offer them detailed problem instructions, it took over 36 hours to resolve a problem as simple as this. The problem was even reported earlier by the customer himself, but he was not able to deduce exactly why authentication was failing, and working after rebooting his PC. But Hostpoint told the customer that there were no problems.

For 50 CHF per month, one should be able to expect better service.

Hostpoint is having problems with their IMAP servers again.

The problem is not obvious to find. They use DNS round robin to distribute their load, and they currently have 4 IMAP servers:

;; ANSWER SECTION:
imap.example.com.      300     IN      CNAME   imap.mail.hostpoint.ch.
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.203
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.202
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.200
imap.mail.hostpoint.ch. 300     IN      A       217.26.49.201

Now the problem is that three of these four mailservers work correctly, and the fourth just refuses all authentication attempts:

% telnet 217.26.49.200 143
Trying 217.26.49.200...
Connected to 217.26.49.200.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip*
2 login "info@example.com" "mypw"
2 NO Login failed.

% telnet 217.26.49.201 143
Trying 217.26.49.201...
Connected to 217.26.49.201.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS *snip
2 login "info@example.com" "mypw"
2 OK LOGIN Ok.

The fix right now is to just configure the client to use one of the working IP addresses – but be aware that this might lead to problems further down the road when the machine is down for maintenance etc.

A few weeks ago, my HTC MTeoR died suddenly, when the upper half of it’s keyboard became unresponsive. I decided to replace it, and have seen a good offer for HP’s iPAQ 510 Voice Messenger.

This isn’t a full features review, more a few notes about my thought about this device. I had only one SmartPhone before it, the MTeoR mentioned just before, so most of my comparisons will reference that device.

This device comes from a different price range than the HTC MTeoR i had before – while the HTC retailed at about 800 CHF without contract, the iPAQ 510 started at much lower prices, it can be had from 350 CHF without a contract. As such, i didn’t really expect much from this device.

My attitude changed slightly when i opened the packaging – while the HTC came in a bleak and unnamed Swisscom package, the HP device was in a much better wrapping. It contained a handy quickstart guide, a manual, and the phone hat protection labels all over it.

The display of the HP has a resolution of 172×220 pixels, while the MTeoR had a 240×320 resolution. While the HP display isn’t as crisp and detailed, and displays bigger fonts the MTeoR, it’s not actually that much worse. And of course there’s the price difference between the two devices.

The HTC device had UMTS, which i always have disabled in order to save power. The HP device doesn’t have UMTS, but it does have WiFI. Because my company is still in the 90ies when it comes to telephony, i couldn’t play with the VoIP features.

An interesting twist is that WM6 no longer requires registry hacks to import self signed certificates. This is good for small businesses which use self signed certificates with Exchange Active Sync.

The making of the device seems to be better than the MTeoR, the latter had the problem that the back cover never really held, and seemed to lose its grip more than once a week. The HP device looks sturdier, and is also a tiny bit thicker than the MTeoR, but it’s also a bit lighter. They keys on the HP are much better suited for my hands (they’re bigger).

I like the new enhancements that come with Windows Mobile 6, but you’ll find much better sources on the Web when talking about WM6.

I think this device is worth it’s money. It’s not a top of the line smartphone like the Motorola Q9, and it’s screen is it’s biggest disadvantage. It’s sturdily made, and will probably last a year on the field (SmartPhones always seem to be made with PHBs in mind, but they’re quite useful for field technicians too).

Layer One sucks. Big time.

They’ve had power outages before, and again. However, it seems that they didn’t change anything. This is the fifth power outage, and we’re there for at most 1.5 years.

Today, there was a smaller power taking down only of the two power lines we had. But it still lasted for several hours, and recovery and information was incompetent and slow. Don’t go to Layer One. Their Power Grid sucks as much as their service and their information policy.

Fancy graphs are only for managers

I’ve heard this one more than once, and it just isn’t true. While hard numbers are good for many things, they are usually not adequate for looking at Network connections.

Especially with the advent of VPN connections throughout multiple ISPs, companies, etc. there is a need to have a less subjective view of the quality of these links. Luckily there are many open source options available for graphical network monitoring.

The most important tool for WAN connections is SmokePing. With Cacti, you can graph almost anything. SNMP support is built in, and you can also use scripts. I’ve used many scripts with SSH commands and public key authentication to transfer even sensitive statistics over the network.

DNS is often overlooked by novices – it doesn’t look to complicated, but in the end it is the glue that holds the internet together.

I’ve written about DNS before (sorry, German only), but i still use all that knowledge i learned back then every day. DNS is important for Active Directory (which has a whole seperate page of possible issues), but it’s also very important for e-mail.

I’ve seen many smaller IT companies or hobbyists that host their own DNS (which is fine, it builds experience) – but usually without a secondary DNS server.

The problem is that without any DNS server responding for a domain, strange things happen. While it would be very clear by the standards that this is just a temporary failure, and the mail should be held in the queue, given the right combination of DNS resolver and MTA, mails may bounce.

There are many companies offering secondary DNS services, but they’re usually not necessary – ask someone you know with a static IP address, and play secondary for him. Or if you really want your own infrastructure, rent a server in Germany, which is pretty inexpensive and gives you a secondary MX and DNS server.

Thawte offers so called SSL123 certificates, than can be issued in minutes. At least in theory.

These certificates are validated against the WHOIS records. This works fine, but SWITCH has removed all email addresses from their WHOIS records, probably to fight spam. Now, there’s an easy way out. Just change your Surname to an email address, before submitting the Certificate request to Thawte. After you have your certificate, you can change your WHOIS record back.

I would really like to see SSL certificates provided by domain registrars – i think GoDaddy even does that for some of their Domains. But SWITCH doesn’t.

Security has always been a major point in the past few years in IT. I’ve seen several SMBs without a DHCP-Server, because this supposedly helps security.

Of course, just because you don’t have a DHCP server doesn’t mean that nobody can access your network. There’s a much better technology available that helps to prevent unauthorized devices from accessing your network. It’s called 802.1x.

In case you’re wondering, 802.1x can also be used with Wireless LAN. I’ve written a little HOWTO about Wireless 802.1x with Windows Server 2003 and Cisco APs.

Most access points support 802.1x, but with switches the functionality is a bit more scarce, especially if you’re looking at SMB equipment. But there are several vendors that offer 802.1x functionality in their switches, for affordable prices.

But what is 802.1x? It’s a technology that allows authentication at the link level to take place – it requires a RADIUS server as a backend (such as Microsoft IAS, which allows you to authenticate against active directory). The switch or AP just works as an intermediary between the RADIUS server and the client – this makes the switch/AP agnostic to the authentication method used.

802.1x can be great to enhance your network security. It prevents people from installing unauthenticated devices into your network. Of course, you will need to either whitelist older devices without 802.1x support by MAC-Address, or upgrade to newer devices with 802.1x support. For example, all newer Lexmark/IBM printers fully support 802.1x out of the box.

Especially with the dawn of Windows Vista, which can configure 802.1x LAN authentication through GPO (XP could only configure Wireless LAN 802.1x through GPO), it makes sense to start implementing 802.1x.

Allied Telesis

Even new Allied Telesis (formerly Allied Telesyn) switches look like they’re at least 10 years old. But they offer all features usually needed at nice pricing points. Their software is not always consistent between different product lines, but this shouldn’t be a problem for SMBs. For example the AT 9000/24 offers 802.1x support and 24 Gigabit Ethernet ports. Retail price in switzerland is about 1000 CHF.

Linksys

Linksys, a brand of Cisco, also offers business switches with 802.1x support. The SRW2024 can be had for about 600CHF, featuring 24 10/100mbit Ports and 802.1x support.