Archives mensuelles : janvier 2007

OpenWRT to Zywall VPN

Here is how I configured my Linksys WRT54G routeur/AP to connect to my office’s Zywall 70

              --------                  --------
      Home --| WRT54G |--- Internet ---| Zywall |--- Office
              --------                  --------                
192.168.3.X         W.W.W.W          Z.Z.Z.Z          192.168.2.x

Linksys WRT54G

Backup your access point, go to http://openwrt.org, read carefully the wiki, and install the latest OpenWRT release. WhiteRussian RC6 worked for me.

I upgraded from an old Alchemy release, and all my settings were kept.

Install openswan

#ipkg update
#ipkg install openswan

Create /etc/ipsec.d/private/zywall

conn zywall
       right=%defaultroute
       rightsubnet=192.168.3.0/24
       rightid=@someid
       left=Z.Z.Z.Z
       leftsubnet=192.168.2.0/24
       leftid=@someid
       authby=secret
       pfs=no
       ike=aes128-sha1-modp1024
       esp=3des-md5-96
       keylife=9600s
       keyingtries=0
       auto=add
       dpddelay=30

Modify /etc/ipsec.conf to include your new config

# Add connections here
include /etc/ipsec.d/private/zywall

Add you preshared key in /etc/ipsec.secrets

@someid @someid: PSK "mysecret"

Zywall 70

Open « VPN Rule (IKE) » tab and add a new gateway policy

  • Remote Gateway Address : W.W.W.W
  • Pre-Shared Key : mysecret
  • Negotiation Mode : Main
  • Encryption Algorithm: AES
  • Authentication Algorithm : SHA1
  • SA Life Time (Seconds): 9600
  • Key Group : DH2

Add a new network policy

  • Active: Yes
  • Local Network
    • Address Type: Subnet address
    • Starting IP Address: 192.168.2.0
    • Subnet Mask: 255.255.255.0
  • Remote Network
    • Address Type: Subnet address
    • Starting IP Address: 192.168.3.0
    • Subnet Mask: 255.255.255.0
  • Encapsulation Mode: Tunnel
  • Active Protocol: ESP
  • Encryption Algorithm : 3DES
  • Authentication Algorithm: MD5
  • SA Life Time (Seconds): 28800
  • Prefect Forward Secrecy: None
  • Enable Replay Detection: Yes

It should now work. Try to connect the VPN from the WRT54G:

# ipsec auto --up zywall
104 "zywall" #26: STATE_MAIN_I1: initiate
003 "zywall" #26: ignoring unknown Vendor ID payload [afcad71368a1f1c96b8696fc7757]
003 "zywall" #26: ignoring unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
106 "zywall" #26: STATE_MAIN_I2: sent MI2, expecting MR2
108 "zywall" #26: STATE_MAIN_I3: sent MI3, expecting MR3
004 "zywall" #26: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "zywall" #27: STATE_QUICK_I1: initiate
004 "zywall" #27: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x595ef372 <0xb540297d xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

Hiding the personnal network

It works, but my colleagues can now browse my home network. I want to « masquerade » the 192.168.3 subnet, so all connections seems to come from 192.168.203.1 :

                  ---------                  --------
      Home -- (NAT) WRT54G |--- Internet ---| Zywall |--- Office
                  ---------                  --------                
192.168.3.x  192.168.203.x  W.W.W.W   Z.Z.Z.Z          192.168.2.x

Edit /etc/firewall.user :

iptables -t nat -A postrouting_rule -d 192.168.2.0/255.255.255.0 -j SNAT --to 192.168.203.1
iptables -A forwarding_rule -d 192.168.2.0/24 -j ACCEPT

Run /etc/firewall.user to apply theses rules
Modify the ipsec rules to use 192.168.203.x instead of 192.168.3.x

Notes

  • The local and remote ID must be the same
  • 3DES/MD5 is not the most secure cypher for phase 2, but other cyphers does not seem to work
  • See openwrt wiki for encryption and speed
  • This should work with any zywall model and with ipsec-capable Prestige models (652, 662). Some buggy firmwares (Zywall 10) use local and/or remote id instead of « secure gateway address ».

Réencoder un divx pour le Kiss DP-500

English version here

Il est loin le temps où la grande majorité des divx passaient sans problème sur ma platine de salon Kiss DP-500. Entre les nouveaux codecs, les extensions de codecs existants (QPEL, GMC, etc..) et les derniers firmwares de Kiss qui sont bourrés de défauts, il est rare qu’un film passe du premier coup.
Pour y remédier, une simple ligne de commande suffit :

mencoder mauvaisdivx.avi -of avi -oac mp3lame -lameopts cbr:br=128 -ovc lavc -lavcopts vcodec=mpeg4:vhq -ffourcc DX50 -o nouveaudivx.avi

Veillez cependant à installer mencoder et les plugins adéquats.

Et voici un petit script qui prend en paramètre le nom du fichier à convertir, et crée un fichier avec le suffixe -KISS qui passe sans problème sur la platine: divxconvert.sh

Recode divx for Kiss DP-500

Pour la version française, suivre ce lien.

My Kiss-DP500 DVD/DivX player can’t play a lot of divx, because of the new codec extensions (QPEL, GMC, etc…). Most « recent » firmwares are buggy, and I often have to recode my movies.
The magic command line is:
mencoder baddivx.avi -of avi -oac mp3lame -lameopts cbr:br=128 -ovc lavc -lavcopts vcodec=mpeg4:vhq -ffourcc DX50 -o newdivx.avi

Of course, you need mencoder and appropriate plugins.
You can use this script, it takes the avi file name as an argument and creates and kiss-friendly version : divxconvert.sh