This tutorial use left parameter when setup strongswan, while this tutorial also use leftid parameter. What is the difference between left and leftid?
Found answer from here:
One defines the local IP address(es), `left`, which does not have to be specified
unless it should be restricted. The other, `leftid`, the local identity used during
authentication, which will default to the local IP address or the subject DN of the
local certificate, if one is configured.
Note that the convention is to use `left...` options for local settings and `right...` for
those of the remote, but they might get swapped if an IP in `right` is found locally.
Please refer to the man page for ipsec.conf (`man ipsec.conf`) or the [wiki page for
the conn section][1] for details.
----
You can't set `left` to an IP address that's not installed on any local interface. As you
can see in the log, the daemon won't be able to send packets from that address.
Likewise, inbound request are dropped because the destination address doesn't match
the config (the `no IKE config found for ...` message). So either don't configure it (same
as setting it to `%any`) or configure a local address from/on which packets can be
sent/received (e.g. `172.30.13.1` in your case).
[1]: https://wiki.strongswan.org/projects/strongswan/wiki/Connsection
Related
I was reading through the NodeMCU documentation on enduser setup Module, and now I have a little confusion about the following statement:
Connect to that SSID and then navigate to the root of any website (e.g., http://example.com/...
A web page will load, allowing the end user to provide their Wi-Fi information.
With default configuration, the NodeMCU access point has an IP address: 192.168.4.1.
My question is, how is www.example.com resolved so that it points to the module's access point IP address (192.168.4.1)? Is there any default DNS configuration for the module?
Full documentation is available here.
It simply always returns the IP of the ESP for every DNS query.
You can see that in line 1491 of the source code. (enduser_setup.c)
The enduser_setup_dns_recv_callback will always return the IP that is being retrieved by calling wifi_get_ip_info.
Line 1470:
wifi_get_ip_info(if_index , &ip_info)
Line 1491:
c_memcpy(&(dns_reply[insert_byte]), &(ip_info.ip), 4);
I want to bind 2 certificates on a port in my Windows server.
But it doesn't let me add the second certificate once one has already been added for it. Or unless I clear the bindings for the port using netsh delete command.
Adding the second certificate shows this error -
System error 183. Cannot create file when that file already exists
netsh http add sslcert ipport=0.0.0.0:2195 certhash="$thumbprint" appid='{472f53d0-29e1-4cf4-ba9c-79f362d8f6fa}'
Is it possible to bind multiple certificate to the same port?
Thanks in advance.
I have found a solution for this. Surprisingly I didn't find a single resource about this across the web.
It seems that you can't bind multiple certificates if you set the IP as 0.0.0.0 (which I think, is wildcard)
So, for the other certificate, I had to use some other IP.
Since in my case the destination IP address is known and is fixed, which is 17.x.x.x IP address block (Apple) .
So for the second certificate, I changed the ipport in the command to 17.0.0.0:2195.
And voila, it worked!
In one of my applications (ASP.NET/VB.NET), I need to read the Client Machine Name. Based on the Client Machine we trigger a Point of Sale payment device to accept the payment. On each of these systems we have a stand alone software installed which communicates to the bank using HTTP requests. I am using the following .NET code to read the Client Computer Name.
Dim name As String = String.Empty
Dim hostEntry = Dns.GetHostEntry(HttpContext.Current.Request.UserHostAddress)
If hostEntry.HostName.Contains(".") Then
name = hostEntry.HostName.Substring(0, hostEntry.HostName.IndexOf("."))
Else
name = hostEntry.HostName.Trim
End If
In the development environment, all our systems are in a domain ("xyz.com") and we don't have any issues. In the customer location they don't have a domain name setup. My above logic works well in some of the systems in the client environment and is able to make payments but in most of the systems our logic fails and is not able to read the host name. Any help will be appreciated.
Your question doesn't have the specifics required to answer your question. There are many questions that need to be answered about both environments to give a correct answer. Since I can't ask questions, I will make some assumptions which might apply to future readers of this post and be able to help them out.
I would ask a question but my profile was forked for some unknown reason and I don't have the required reputation to ask a question. That being said I will run through the list of issues I can identify off the bat and suggest solutions for the issue and hopefully one will lead you to a solution.
So...
1) You state you need to read the client machine name. However, if your application isn't running on an internal LAN (aka an intranet) you can't read client machine names period. So this could be your first problem.
2) Combining point 1 and given that you are reading the IP Address from UserHostAddress of the client to look up a DNS host name and when the host look up succeeds you are taking the first part of the name up until the first "." it should be safe to assume that this an intranet application running on a LAN in both your development environment and at the client environment. With that assumption and given the statement that all machines are given an domain of xyz.com it can be assumed that DNS in your development environment is being dynamically updated from presumably through Active Directory (AD). In such case, whenever a client machine on development network requests an IP address, presumably through AD, the DHCP server integrated with AD issues the new IP Address. When it does and the DHCP offer is acknowledged and accepted by the client AD updates DNS (which on a windows network is also AD integrated) by adding a host entry with the computer name of the client machine pointing to the IP Address. Additionally a DNS pointer, depending on configuration, can be added to AD's DNS which allows an IP Address lookup to resolve to the record (which in this case would be the Client's machine name). So with your development environment (presumably running on Windows Active Directory Domain) everything works. Addi tonally, by default the top level domain name (XYZ.COM) gets appended to the clients computer name in initial DNS requests from the client.
3) Your client is not running a domain which leaves further questions. Are they running windows? If they are running windows is it as a non-Ad environment, for example a work group. First assumption would be they are not AD integrated or otherwise you most likely wouldn't be having this problem although I can think of a few rare case scenarios where they might. However, odds are the relevant questions are What DNS server are they running and what DHCP sever are they running? Your application is trying to use a client IP Address on their network and the host name lookup based on their IP is failing so it tells me in their environment for one reason or another you can't get a host name from the IP Address of the client. Mind you if they could be on AD and configured entirely correctly their DNS server is just overwhelmed and not responding within 2 seconds causing the name lookup failure but that is the rate case. With more information I could help more.
3) Assuming in 2 that they are not on AD, do you have the ability manually code host names on the computer your application is running? For example, lets say yourapp.exe runs client-server-01 and clients connect to it. Then on client-server-01 you could add static DNS entries in the host file for each PC on the client network that you expect to connect. On the other hand if your application is running locally on the client PCs you could pass the machine name as a header in the web request and then read it from the Request.Headers variable on the server.
4) Again, making another assumption the clients are web based and your application in the client environment is being hosted on the server... Is the server on a DMZ outside the client environment? If so the client environment may likely be configured, per best practices, that the server host your web app is in a DMZ and DNS requests to the box are forwarded to the client's ISP and not back into their network that has the DNS server capable of resolving an internal IP to a client machine name. If this is the case you need to send the client machine name as a variable from your client or code local IPs to host names in the servers host file (assuming the internal network isn't behind NAT and exposes the real client machine's IP) or request that the DMZ'd server can access the internal DNS and configure the access accordingly.
....
The list really goes on and on but I think I highlighted the problems for 99% of the situations and provided answers to their various solutions.
You can try to take it from X-Forwarded-For header
The X-Forwarded-For (XFF) HTTP header field is a common method for
identifying the originating IP address of a client connecting to a web
server through an HTTP proxy or load balancer.
This is what X-Forwarded-For should return:
X-Forwarded-For: client, proxy1, proxy2
Here some example code:
string ip = Request.ServerVariables["HTTP_X_FORWARDED_FOR"] ;
if (!string.IsNullOrEmpty(ip))
{
string[] ipRange = ip.Split(',');
ip = ipRange[0];
}
else
{
ip = Request.ServerVariables["REMOTE_ADDR"];
}
There was an issue with Firewall setup on the client machine.Due to that our .NET code was failing. After adding an exception to all the incoming requests from xyz.com. My code is working without any issues.
Thank you guys #Alexander Higgins, #halfer for the help.
I have successfully setup IIS on my local development machine (dev branch - setup as localdev.me) but when I went to setup another branch (hotfix - setup as localhotfix.me) I am running into issues. The issues are due to the way the site is setup. The subdomain of the url is used to determine which Database to connect to. So going to host.localdev.me will connect to the host database. So in IIS I have the following settings for the bindings of the site.
Type Host Name Port IP Address
http localdev.me 80 *
http *.localdev.me 80 *
I can ping localdev.me with any subdomain and I get the loopback address as expected. When I then setup the hotfix branch (exactly the same as the dev but with the following bindings) I get name not resolved errors.
Type Host Name Port IP Address
http localhotfix.me 80 *
http *.localhotfix.me 80 *
Is there a reason the first setup would work and not the second? What is perhaps even stranger if I tell IIS to stop I can still ping subdomains on localdev.me and get the loopback address.
I could always get it working by manually specifying the host name in my windows hosts file but I would rather not do that as I would need to go in and edit the file every time we add a new subdomain.
EDIT: These are the specific errors I am getting.
ping localhotfix.me
Ping request could not find host localhotfix.me. Please check the name and try again.
EDIT2: I have a solution that works fairly well. It requires Acrylic DNS and installation of the Microsoft Loopback Adapter. I set the loopback adapter to a valid IP Address and set the DNS server to 127.0.0.1 then edit the AcrylicHosts file to contain entries for each domain with a wildcard. Once I did all of this I was able to ping localhotfix.me along with *.localhotfix.me. I believe the reason localdev.me worked is because it is a valid domain. The name would resolve at which point I believe IIS was able to take over. But thats really just an educated guess. But kindof makes sense as to why it worked for one and not the other.
The reason *.localdev.me works without a hosts file is because the public DNS for that domain resolves to 127.0.0.1 as long as it is not localdev.me or www.localdev.me. You can check this using nslookup *.localdev.me (replace the asterisk with anything except www) while your hosts file is empty. On the other hand, *.localhotfix.me is not registered in public DNS at all, which is why you'd need a hosts file entry for those.
We've set up port forwarding so that our users can access the web server on server foo through a SSH tunnel.
The port forwarding causes requests to 999 on the local machine to be forwarded to port 80.
On their own machine they open the SSH tunnell and then enter into their local browser ...
http://localhost:999/d/a.html
... on their local browser and their local browser receives the equivalent output to :
http://foo/d/a.html
This is all fine. However within a.html is a relative link to b.html (the link is just plain "b.html" - no virtual directory, no host name). The browser inteprets that link as being ...
http://localhost/d/b.html
... that is the port qualifier has been lost and so when the link is used instead of it going down the SSH tunnel the client machine attempts to resolve the address itself and finds it can't.
I assume this must be a common problem but how is it resolved ?
I'm answering my own question here. Based upon the above comments I've reviewed what's happening and it is (almost certainly) something unrelated to the tunnelling. Please ignore the question and thanks for your time.