I am Maxim Menshikov and here is my blog. Here you can find my research papers, announcements about my projects, and generic information about me.
IPSec is a nice technology providing secure access to other subnets or hosts. Recently I had to work on many different configurations for openswan. I can't say documentation out there is full enough to cover every single question. Here are my tips and tricks. In this article
leftis an alias for local-side (our PC), while generally it is not. I assume that you have read man
- Make sure you fulfill
virtual_privatewith allowed subnets correctly. For IPv4 it is:
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16and then add
v4:!192.168.1.0/24-like entries separated by comma. For IPv6:
- Force keepalive packets if you use cellular connection or you're NATed.
force_keepalive=yes keep_alive=10Also, modify Dead Peer Detection accordingly.
dpddelay=10 dpdtimeout=480This really helped me to get connections based on 3G modem work flawlessly.
*nexthopfor ppp connections is peer itself.
- It is better to include
rightnexthopin case if
rightis IP. For FQDN, OpenSWAN will do the job.
- AES is faster for most architectures except if it is hardware-accelerated. For NETKEY kernel crypto is working by default, and for KLIPS you would like to insmod cryptodev (or even cryptosoft).
- For L2TP/IPSec client, be specific with open ports:
leftprotoport=17/1701. For L2TP/IPsec server, be less specific:
leftprotoport=17/%any. Same rule applies to to other side: For L2TP/IPSec client, use
- Make sure you have a good route (and/or routing rule) to peer. Some environments might work well until actual connection is established, and then they change routes, making route to peer tunnelled. It mustn't be tunnelled. (For KLIPS it is a bit harder to manage).
- XFRM (Netkey) stack is hard to manage in some environments (i.e. gateways). Sometimes I prefer KLIPS for that.
- For KLIPS, disable rp_filter. There are other good security advices, but without it it won't work at all.
- If you wish to install certificates on Android, you'd want to have
critical,CA:FALSE(or TRUE)-like extension in your certificate.
- Set correct IDs for both sides (
rightid). It is really critical. It totally depends on the server side. I usually prefer
%fromcertdesignation, which instructs openswan to insert full description of certificate of the side
- Don't forget to configure date :)
Recently got a bad crack of laptop's case, but it wasn't the only one since I ignored others. After trying some funny service centers in SPb, I decided to call official service center heavily advertised by asus.com - "ASUS Premium Service" (too pathethic) - and I liked it. Ordered parts on Monday, parts were there on Thursday. Gave away laptop on Friday and got it repaired within the same day for quite low price. It is not like I am advertising it, but they are OK in my opinion. The only downside is that they don't inform client about readiness state accurately, but may be it is me doing callbacks too fast? Just in case: featured laptop is N56JK.
It is russian version of the article. Look below for english version. Это русскоязычная версия статьи. Англоязычная версия расположена здесь: OSBuilder8: The Process Русскоязычная версия статьи не рекомендуется к цитированию, так как является лишь вольным переводом указанной выше статьи. Я обычно не публикую подробности о проектах, находящихся в активной
(посмеялся) разработке. Но я решил напомнить читателям, что я всё ещё жив.
It is english version of article. Russian version is located here: OSBuilder8: процесс разработки Usually I don't post any details of projects being actively
(haha) developed. But this time I decided to do that just to let you know that I am still alive.
So, it all started with a simple idea: what about transferring OSBuilder's rom building experience to Windows Phone 8?
Huh, important consideration here: there are not that many devices that can take an advantage of custom ROM. Huawei W1, 8X/8S (theoretically), Ativ S are on the top of the list.
It is english version of article. Russian version is located here: Как это работает: Full Unlock (WP7) Have you been wondering how full unlock for Windows Phone 7 works? I've been asked multiple times, but it seems like right time to talk about has just came. Unfortunately, Full Unlock source code isn't released and never will be. However, here is a little walk around the underlying code. …
Это русскоязычная версия статьи. Англоязычная версия расположена здесь: How it works: Full Unlock (WP7). Русскоязычная версия статьи не рекомендуется к цитированию, так как является лишь переводом указанной выше статьи Интересовались ли вы когда-нибудь, как работает Full Unlock ("Полная разблокировка") для Windows Phone 7? Меня много раз спрашивали об этом, но, кажется, время рассказать это пришло только сейчас. Статья рассчитана не на программистов/хакеров и так далее. Думаю, суть сможет понять любой более-менее подготовленный пользователь ПК. …
Hi all. Time passes by, we get older, and so do our projects. One year ago we released Dynamics 2.0 ROM. It is so far the biggest ROM project for Windows Phone we ever created. Just a statistics taken from XDA: HTC Titan: 2.0 6955 downloads 2.2 1964 downloads HTC Radar 2.0 5330 downloads 2.2 547 downloads 2.21 1205 downloads HTC HD2 2.0 > 30000 downloads 2.2 3045 downloads 2.21 11584 downloads HTC Mozart 2.0 9518 downloads 2.2 1877 downloads Samsung Omnia 7 2.0 22813 downloads 2.2 1007 downloads Nokia Lumia 710 2.0.1 10030 downloads 2.1 20199 downloads 2.2 8139 downloads Nokia Lumia 800 2.0.1 14276 downloads 2.2 3800 downloads ... Obviously with WP8 release Windows Phone 7 rom cooking age is coming to an end. We aren't going to continue this project. But don't worry, we have so many amazing projects in mind so that you won't disappointed. Thanks to all users and supporters!