lekkimworld.com

Just saw a little download on the Domino 7 download page on Passport Advantage. The download is called “Free Time Web Service database 7.0 (C8525NA)” and contains a Notes database with a web service allowing you to do freetime searches over SOAP. Pretty nice and a good example on how to do web services in Notes 7 in LotusScript.

Well not exactly the certificate signer you would expect to find on a product like Sametime… I would have expected a certificate that was somewhat more “official” and closer to IBM “home”.

Found a nice feature in Notes 7 Designer client where you can edit the name of a design element directly in the list. Nice…

Thanks Johan – here is a link to the article…

In Notes 5.x the selections made in the User Preferences dialog box (FilePreferencesUser Preferences) are stored in the notes.ini file as a decimal number in Preferences setting. This setting may be manipulated using binary operations if need be.

Please note: I would think that this is no way a Lotus supported way of doing this… 🙂

The “Prompt for location at startup” User Preferences is set using the 25th bit (1 000 000 000 000 000 000 000 000) which is 16777216 in decimal. Setting the flag can be accomplished using the binary OR operation.

Sub Initialize
   Dim session As New NotesSession
   Dim notes_ini_value As Long
   Dim notes_ini_value2 As Long
   notes_ini_value = Clng(session.GetEnvironmentString("Preferences", True))
   notes_ini_value2 = notes_ini_value Or 16777216
   Call session.SetEnvironmentVar("Preferences", Cstr(notes_ini_value2), True)
End Sub

If you need to toggle the flag you should use the XOR operation.

The Cisco PIX firewall series of products are very nice and range from the little entry-level PIX 501 to larger gigabit enterprise ready solutions. We normally use the PIX 501 and PIX 506 with 3DES and/or AES due to their cheap price and superior functionality and built-in VPN capability.

Normal configuration
The configuration I normally do is the following:

• Use static to map services from the outside address(es) to the inside address(es).
• Use an access-list to allow the trafic to pass from the outside interface to the inside interface. Normal services to map through are SMTP, HTTP, HTTPS and Lotus Notes (1352).
• Use an access-list to restrict users from accessing services other than HTTP, HTTPS and FTP though the firewall. No unwanted filesharing etc.
• Configure IPSEC VPN from all remote addreses to connect using 3DES and a shared secret. We use RADIUS to authenticate users connecting so they can use their Windows username and password.

The above is normally enough to solve the need of our customers as well as our setup even though there might be more than one site. Internally we have made the concious choice of not configuring VPN tunnels between sites since most users do not need to access services at other sites. The users that need access to other sites use the VPN client and hence know when they could affect other sites.

Site-2-site IPSEC VPN
This time I needed to configure a full site-2-site VPN tunnel that would allow users and servers at each site to transparently access services at the other site. It proved surprisingly easy to configure once I understood the way the PIX uses so-called “crypto maps” and once I got a hold of a good book called Cisco Security Specialists Guide to Pix Firewall.

To configure VPN access we use a dynamic crypto map which allows the PIX to create a crypto map per user once they connect. This is not however the desired setup for site-2-site configuration. Here you would like to know exactly what is going on. The dynamic crypto map should still be there to allow users from accessing the site using VPN.

Before you begin
Below I assume that all exising IPSEC related configuration has been removed such as crypto maps, transform sets and isakmp setup. To see any existing configuration enter enable mode (and configure terminal mode) and use the “sh crypto map”, “sh crypto ipsec transform-set” and “sh isakmp” commands.

The setup
I also assume you have two IP-segments you would like to connect. My IP-segments are the 192.168.1.0/24 segment and the 192.168.2.0/24 segments. Each end has a PIX 506/501 in front and the edge router allows all IP protocols to pass through to the PIX (incl. ESP and AH). Check with your ISP since some connections has these protocols blocked and only allow TCP and UDP traffic.

The configuration I show is the configuration from the 192.168.2.0/24 segment (source) to the 192.168.1.0/24 segment (target). The PIX in the source end has the public IP-address 2.2.2.2 and the public IP-address in the target end is 1.1.1.1 (the addresses are random).

To configure the PIX you need to add the following pieces of configuration.

-- allow IPSEC traffic through to the inside interface of the PIX
-- unfiltered (this is not a security issue)
sysopt connection permit-ipsec

-- create a transform-set which basically means which protocols should we use
crypto ipsec transform-set myset esp-3des esp-md5-hmac

-- create client VPN config using dynamic crypto map referencing the transform-set.
-- The priority is set to 50 to have it be the last of the two maps we end up creating
crypto dynamic-map dynmap 10 set transform-set myset

-- create a crypto map for the client using RADIUS authentication
-- (be sure to also configure an aaa-server for this)
crypto map pix-ny_map 50 ipsec-isakmp dynamic dynmap
crypto map pix-ny_map client configuration address initiate
crypto map pix-ny_map client configuration address respond
crypto map pix-ny_map client authentication RADIUS

-- create a pre-shared key IKE towards the target (1.1.1.1)
isakmp key <shared secret> address 1.1.1.1 netmask 255.255.255.255

-- create an access-list to handle all trafic from 192.168.2.0 --> 192.168.1.0
access-list site2site_vpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

-- exclude NAT'ing the trafic handled by the access-list we just created
nat 0 access-list site2site_vpn

-- create a crypto map to pull everything together
crypto map pix-ny_map 10 ipsec-isakmp

-- add the addresses to match for this crypto map
crypto map pix-ny_map 10 match address site2site_vpn

-- set the peer for the tunnel
crypto map pix-ny_map 10 set peer 1.1.1.1

-- define the transform set (the suite of protocols) to be used for our map
crypto map pix-ny_map 10 set transform-set myset

-- apply the crypto map to the outside interface (there can only be one map per interface)
crypto map pix-ny_map interface outside

-- if you use an access-list to restrict trafic from the internal interface
-- to the outside you must allow the traffic from 192.168.2.0 to pass to 192.168.1.0
access-list inside permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Please note: You need to create the same configuration in the target end using the same shared secret! In the target end you need to specify another address for the peer (change 1.1.1.1 to 2.2.2.2) and swap the IP-segments in both the access-list commands (192.168.1.0 / 192.168.2.0).

Final words
Hopefully this will work for you and save you some hours of fustration. Please note though – you really want to read a primer on IPSEC before venturing into stuff like this to understand how IPSEC works. You might as well start at the wikipedia article.

I went to the Mac-store the other day to look for a computer bag but ended up playing with the Macs they had on display. I have been playing with the idea of getting a Mac Mini to use at home, but one thing bothered me though: I was unable to access the menus using the keyboard.

None of the store employees knew how to do it but instead told me that: “OS X is a mouse operating system…” This is totally unacceptable to me so I left the store and kind of gave up on the idea of becoming a Mac owner.

After this experience I was very pleasently surprised when my big brother found out how (via one of our customers where a couple of users uses Mac). Pressing Ctrl-F2 will access the menu.

So now it is back to the store… 🙂

I’m going to my first Lotusphere – I just booked the conference and hotel. I’m really looking forward to this event. See you all in Orlando… 🙂

To save precious GRPS dial-up time and bandwidth from my cellphone I would like to be able to use the w.bloggar blog client to post to my blogs ia the metaWebLog API (Pebble supports both the metaWebLog and Blogger API via xmlrpc). This is mainly for my personal blog (in Danish) where I keep my training diary.

The issue I was having was a strange one that only appeared when hosting multiple blogs in the same instance. The issue was that national characters being escaped to HTML entities wasn’t displayed correctly on the multi-blog aggreate screen.

The solution was to fix the way the content was truncated before being displayed. I used the Jakarta Commons Lang to unescape the entities instead of the home-rolled solution.

Full details and a patch can be found as PEB-279 in the Pebble JIRA.

Regarding the Sametime problem I mentioned yesterday – applying the fix mentioned in the technote appears to have solved the problem. I’ll monitor the file though…