Setting up IPSec/L2TP on Amazon EC2

I wanted to figure out how to setup an IPSec/L2TP VPN, since it seems to be a pretty useful thing to have. Since I didn’t have a VPS to stage this on, I signed up for Amazon’s AWS service using their free tier.

The AWS sign-up process is pretty easy. Amazon will want your credit card details so they can easily up-sell you. You have to provide them with a phone number, which they will call you and ask you to enter the PIN you see on the screen to verify your contact information. Once this is finished your Amazon Web Services account will be created and you can spin up an instance. There are still a few things you need to watch out for:

  • When creating an instance, the wizard will default to the small tier, which has a charge associated with it (IIRC they quoted me ~$43/mo). You’ll need to change this to the micro instance if you don’t want to pay.
  • The free tier is only available for the first year after signing up for AWS, after which they will charge you. At US Eastern prices, it will cost me around $14/mo for the micro instance, which is quite a bit more expensive than what other hosting providers are offering.
  • You need the private key you generated when you signed up to SSH into your server. The username is “admin” and has no-password sudo privileges.
  • “Terminate” in Amazon lingo means “Turn off and permanently delete” which unless you’re finished with your instance I do not recommend you select. For some reason I thought terminate meant “force shutdown,” which it really didn’t. Suffice to say configuring IPSec was much faster the second time around.
  • Amazon uses 1-to-1 NAT for EC2 instances, so when you’re configuring services you need to change the Group Security settings applied to your instance to allow the ports through. Group Security settings are under “Networking & Security” -> Security Groups” in the AWS dashboard. Also, this probably goes without saying, the public IP you SSH to is not the IP of your instance, so if you’re configuring things you need to specify the interface IP address of your instance, not the public IP address.
  • Amazon won’t discuss the bandwidth your instance will get in concrete terms, but it’s pretty poor. I thought I would try to watch South Park via my VPN, but I didn’t even get past the ads before waiting for buffering killed all desire to watch episodes the legitimate way.

tl;dr – You get 750 hours per month of usage for the first year on Amazon AWS. You can use this to create micro instances of any of the free-tier operating systems they offer. From my poking around, micro instances appear to offer you 8GB of disk space and 613MB of RAM. The free tier gives you 15GB of bandwidth shared across all your AWS services.

At current US Eastern pricing, which seems to be the least expensive, the micro tier will cost you about $15/mo. So unless you find yourself needing Amazon’s infrastructure for some purpose, or plan to increase your computing requirements significantly in the near future, plan on using AWS micro instances for the first year and then migrating to another hosting provider that better suits your needs.

I plan on using my micro instance as a staging area for services I want to eventually deploy to my production server, but have not finished testing yet.

On to setting up IPSec/L2TP. For the most part I followed this guide available on elastichosts.

This being the first time I’ve ever setup IPSec and L2TP, I ran into some issues. One was that xl2tpd wouldn’t start. This is the output from when I tried to start it in daemon mode:

root@ip-172-31-14-183:~# xl2tpd -D
xl2tpd[6164]: Enabling IPsec SAref processing for L2TP transport mode SAs
xl2tpd[6164]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[6164]: init_network: Unable to bind socket: Cannot assign requested address. Terminating.

This is because AWS uses 1-to-1 NAT and I put the public IP address instead of the IP address of the instance into /etc/xl2tpd/xl2tpd.conf

After that, I headed over to System Preferences in OS X to configure my shiny new VPN. Except I kept getting cryptic error messages in Console like this one:

14-03-05 7:18:33 PM pppd[7612] pppd 2.4.2 (Apple version 412.5.70) started by devops, uid 502
14-03-05 7:18:33 PM pppd[7612] L2TP connecting to server 'xx.xx.xx.xxx' (xx.xx.xx.xxx)...
14-03-05 7:18:33 PM pppd[7612] IPSec connection started
14-03-05 7:18:33 PM racoon[7613] Connecting.
14-03-05 7:18:33 PM racoon[7613] IKE Packet: transmit success. (Initiator, Main-Mode message 1).
14-03-05 7:18:36 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:39 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:42 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:43 PM pppd[7612] IPSec connection failed

And Google was not helpful at all. So, over to the server logs:

pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [RFC 3947] method set to=109
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [Dead Peer Detection]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: initial Main Mode message received on 172.xx.xx.xxx:500 but no connection has been authorized with policy=PSK

Mmhm. Yeah. Mmhm. Oh, yeah yeah yeah. I know some of these words.

Turns out, again, the problem is that I’ve foolishly specified the public (NAT) IP address instead of the IP address of my instance in /etc/ipsec.conf

Fixing that leads to a VPN that can connect! I’d say that was an afternoon well spent.

CompuLab MintBox 2 Review

Update 11 December 2017: If you own a MintBox 2 or Intense PC and would like to run an open-source firmware which is not vulnerable to CVE-2017-8083 or CVE-2017-9457, consider flashing coreboot.

Update 30 July 2017: If you own a MintBox 2 or Intense PC your system is vulnerable to CVE-2017-9457. There is currently no planned fix for this vulnerability.

Update 6 June 2017: If you own a MintBox 2 or Intense PC, please update your system firmware to the latest version (21 May 2017). Your system is vulnerable to CVE-2017-8083.

CompuLab’s MintBox 2 is a small embedded computer designed for home, office or industrial applications that retails for $599 US. The MintBox 2 ships with Linux Mint 15 “Olivia” on it, which was supported until January 2014 (last month).

The specifications of the MintBox 2 are:
Intel Core i5 3337U (Dual-core 1.8GHz, 2.7GHz turbo, 17W)
4GB RAM (2x2GB; DDR3 1333 CL9 SODIMMs)
500GB hard drive (2.5″, 5400RPM, Hitachi HCC547550A9E380)
Dual Gigabit Ethernet (Intel and Realtek 8111F; both integrated)
Realtek 802.11b/g/n 2.4GHz WiFi/Bluetooth 3.0 combo card (RTL8723AE; half-height mini-PCIe)

Also present are two eSATA ports (SATA 300), a full size mini-PCIe which can also double as mSATA, DisplayPort and HDMI (CEC is not supported) video outputs, and 3.5mm audio in/out which also support S/PDIF (coax).

The MintBox 2 comes with a 60 month warranty (5 years), with the hard drive being covered for 24 months (2 years).

The shipping configuration uses legacy booting and partitions instead of EFI booting and LVM.

Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x16ad26de

Device Boot Start End Blocks Id System
/dev/sda1 * 2048 968752047 484375000 83 Linux
/dev/sda2 968752048 976773167 4010560 82 Linux swap / Solaris

Encrypting user’s home is supported and offers reasonable speeds, but since user data is stored on the same partition as the OS you may run into trouble if you try to upgrade Linux Mint or install another distribution.

The MintBox 2 supposedly supports up to 16GB of memory, and indeed I had no issues with the 4GB installed, or with an 8GB (2x4GB) kit from Patriot memory. I tried three different 16GB kits (G.SKILL, Patriot, Micron) in the MintBox 2, and all three were incompatible. As such, I highly recommend you consult the list of approved memory modules before purchasing a 16GB kit for the MintBox 2. I am awaiting a 16GB kit that was certified to work with the MintBox 2 and will update this post when it arrives.

People familiar with Linux Mint will know what the standard user interface is like, and the MintBox 2 does not deviate from it apart from a cheeky MintBox 2 wallpaper. Everything works out of the box, with ethernet and wireless configured for DHCP. Suspend to RAM works well and performance is on par with other dual-core computers running Linux Mint.

I installed Arch Linux on my MintBox 2 using EFI boot. This requires reformatting the hard drive completely to use a GPT partitioning scheme. An EFI service partition is required to store the grub boot loader, unless you opt to use the EFI stub in the linux kernel (which I did not). You will also have to boot from live media and use the efibootmgr tool to insert a boot record into EFI nvram to point to your boot loader or you will be sitting sadly in the [seemingly] useless EFI shell wondering why it won’t boot.

As with most other consumer electronics, there is little to no option to tweak in the EFI configuration utility (“BIOS”). There are no voltage monitors, and only the CPU temperature sensor is available over SMBus. Users do not have control over CPU speed, C-states, memory frequency or timings. There is an option for whether the full-height mini-PCIe slot is mSATA or regular mini-PCIe, and users can choose to enable or disable Virtualization (VT-x; VT-d is not supported by the HM76 chipset).

The December 2013 firmware update provides users with the ability to pre-define how much memory to share with the IGP (128MB, 256MB or 512MB) which is reserved and unavailable to the OS. I believe previous firmware versions dynamically allocate VRAM based on the Intel IGP driver requests from the OS.

Depending on the workload the CPU temperature can vary from mid-40s to mid-70s (Celsius), but is almost never hotter. This is average for a mobile CPU and well within safe limits. The stock RAM hits mid-60s in heavy use, but DIMMs with 16 chips (as opposed to 8) run in the mid-70s.

CompuLab support was a little lacklustre at first, but improved tremendously after I discussed my issues with the MintBox product manager. They issued an RMA and replaced the unit to see if the compatibility issue was isolated, but the replacement has the same issues.

Overall the MintBox 2 is a very nice computer. The MintBox 2 is a fanless design, which is very nice from a noise perspective but certainly won’t win it any awards in the design department. The connectivity options are very nice, and exceed what other manufacturers are offering in a small form-factor fanless PC.

I was torn between buying a MintBox 2 and a Mac Mini. I liked the MintBox 2 connectivity options, even though it lacks ThunderBolt, and the fanless design was a bonus. The MintBox 2 also uses a lower TDP CPU than the Mac Mini (17W versus 35W), but is clocked lower.

If you want to buy a computer that works out of the box with Linux and don’t mind paying a premium for it, then the MintBox 2 is an excellent choice. However, the Mac Mini does give you more connectivity options (4xUSB 3.0, FW800 and ThunderBolt) and is compatible with almost all 16GB memory kits available on the market.

Pros:
+ Low-power
+ Fanless
+ I/O options without purchasing expensive adaptors
+ 5-year warranty
+ coreboot! (added December 2017)

Cons:
– Limited support for 16GB of RAM
– Limited I/O (no ThunderBolt)
– RMA requires shipping the unit to CompuLab’s US or Israel office which means about 2 weeks without your computer (as opposed to bringing the Mac Mini in to an Apple store and getting it fixed/replaced within a day or two)
Multiple security vulnerabilities present in the system firmware (added July 2017)

Update: I installed the Corsair CT2CP102464BF1339 16GB kit and it seems to be working well in the MintBox. I also measured the power usage of the MintBox. At idle the MintBox draws 11W (110V mains) and under full load it draws around 27W.

Find server port on HP ProCurve switches the lazy way

This is a useful trick for VLAN configuration, or just figuring out which switch port a server is on.

Note: This requires that your server not be in production, or that your server has been tested and confirmed to have a correct redundant network connection.

ssh root@hp-procurve
$ enable
# config
(config) # debug event
(config) # debug destination session

Then run ‘ifconfig <eth> down’ on the server, or unplug the network cable. Watch the session on the switch and you will see which port has its link status change.

This isn’t a replacement for proper labels, since it involves downing an active network interface, which could cause connectivity issues in a live environment. A better alternative would be to use LLDP to identify which port a server is connected to, but as the title says, this is the lazy way.