IPsec (OSX to Linux) with Certificates

Got around to setting up IPSec between my OSX and Linux server, it worked just fine with PSK (pre-shared key), but failed when using certificates, the error on the server side was:

generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]

I enabled debugging of racoon on OSX (add the 2 lines to file /etc/racoon/racoon.conf)

log debug;
path logfile "/var/log/racoon.log”;

and got:

Jul  3 10:33:48  racoon[19904] : created CERT payload
Jul  3 10:33:48  racoon[19904] : use ID type of DER_ASN1_DN09000000 3032310b 30090603 55040613 02504c31 0d300b06 0355040a 13044b75
62613114 30120603 55040313 0b4b7562 61206950 686f6e65
Jul  3 10:33:48  racoon[19904] : hmac(hmac_sha2_256)
Jul  3 10:33:48  racoon[19904] : error -25308 errSecInteractionNotAllowed.
Jul  3 10:33:48  racoon[19904] : failed to sign.
Jul  3 10:33:48  racoon[19904] : failed to get sign
Jul  3 10:33:48  racoon[19904] : failed to allocate send buffer
Jul  3 10:33:48  racoon[19904] : IKE Packet: transmit failed. (Initiator, Main-Mode Message 5).
Jul  3 10:33:48  racoon[19904] : sending vpn_control ike failed message - code=65535  from=local.
Jul  3 10:33:48  racoon[19904] : failed to process packet.
Jul  3 10:33:48  racoon[19904] : Phase 1 negotiation failed.

The error seemed to indicate issues signing the message, so I started poking around, and realised that racoon may simply have no permissions to my private key, the fix was easy:

in Keychain Access, find the private key portion of your certificate, double click on the private key and in the “Access Control” tab, add a new application to the permission list, you may need to press Command+Shift+G to open “go to location”, enter “/usr/sbin” and then find a “racoon” binary.

Save and you should be good to go.

Schrödinger’s cat – that is – How we got out of our apartment lease – at no cost.

…And we moved… Kind of…

After nearly 10 years in Japan, we decided it was time for a new challenge and moved to Los Angeles, where I already had my new job lined up.

The plan was pretty simple – arrive on July 20th, over the next 3-4 weeks settle down, buy a car, rent an apartment and get ready for my first day at work coming on August 15th.

After intensive apartment search we found one that was:

  • In a good school district (critical, even though LA has one big districts, schools give priority to kids from the nearby “attendance zone”)
  • Affordable (I would rather say expensive by Japanese standards for what is was, but here it was a *steal*)
  • Big enough
  • Walkable to nearby shops (can’t get used to driving 20 minutes or more for groceries)

We signed our lease on Friday the 29th and thought that was all… not…

The management gave us an EPA brochure educating about lead poisoning, risk and prevention (which is mandatory for buildings built before 1978), and also handed us a paper declaring that they do not know whether there is any lead risk in the building – “there may or may not be any”.

We did sign the lease thinking it can’t be bad, and then later inspected the unit again for cleanliness and other issues.

We had several that we requested be solved – mold spots on the shower silicone seals, cracked tiles, etc – nothing major but we expect the unit to be clean for move-in.

Then we spent a long time reading about lead and associated risks, and found that there were some areas in the apartment that could be problematic – paint rubbing on door hinges, cracked paint below the sink, chipped on the balcony railing etc.

We contacted the management asking to have the unit tested for lead in the paint.

They came back on Monday – said they won’t do that, and because they won’t be able to fulfil our demanding needs, they offered to void our lease and give us the deposit and rent back. (we haven’t moved into the unit yet)

Don’t get me wrong – our intention wasn’t to cancel the lease, we just wanted to ensure the unit was safe for us, we really did want to keep our lease and move in.

I’ve been thinking about management’s attitude, and interestingly it reminds me of Schrödinger’s cat experiment…

They DON’T WANT TO KNOW whether there is any lead in the building – if there was, by law they would have to disclose it to all the tenants and remedy the problems using very expensive lead certified contractors, and from that time onward any repairs would have to be conducted in lead-safe way.

Unless the building is tested for lead, it’s assumed to be safe, but once lead is proven to exist – that puts the owner into very expensive spiral, crazy huh?

California really needs a law reform, many other states enforce the landlord to ensure the unit is lead-safe when children below age of 6 live there.

In CA, the ONLY way to force the landlord to test the unit and resolve problems is to WAIT UNTIL SOMEONE GETS LEAD POISONING, get tested and use that as a proof… We were not willing to that…

Minimig – Amiga clone, hand soldered

I decided to build a Minimig – a clone of Amiga, it can act as Amiga 500, 500+ or 600, with up to 4MB total RAM.

The interesting thing is that it uses an actual 68000 CPU – clocked at 7 or 50MHz in Turbo mode.

Other proprietary Commodore chips are implemented in FPGA.

I also built an ARM controller board – which replaces the small PIC micro, serves as SD card interface and feeds the FPGA with initial bitstream.

I’ve also included 3 hardware mod’s – additional 2MB RAM (sitting on top of original chips), SD high speed interface and lastly – joint stereo/separate stereo switch.

This was my first time soldering such a fine pitch (and expensive) chip – wasn’t all that hard.