Building Linux Virtual Private Networks
The errata for the book are given below. If you believe you've found an error, please send email to errors@buildinglinuxvpns.net and we'll check it out.

Note: After the book went to print, there were several vulnerabilities found in the CIPE, VTun, and Tinc protocols. You can read the list of vulnerabilities here. Corrections to the problems are in the work, so check on the websites for the individual software packages.


PageCorrection
48 CIDR typo

In the network with two hosts, the syntax should be /30 instead of /252

79-80 Full path to pppd

In the sudo command, the third line reads

sudo pppd noauth ...

You may need to use the full pathname to pppd which is usually /usr/sbin/pppd. This change carries over to page 80 where this line's purpose is explained.
112 File listing typo

In the first ls listing (the one run on bears-server,) the file client.pem should read client.cert.

114 /etc/sudoers typo

The snippet from /etc/sudoers has a typo. The name should read sslvpn, not sshlvpn

156 Doubled numbers

In the list under "Creating a VPN with IPSec", items number three and number four have the same index.

Thanks to Wai-hok Cheng

168-169 Misplaced labels on Figures 6.2 and 6.3

10.1.10.50 and 10.125.5.241 should be drawn next to the eth0 (external) interfaces of the gateways. @de.exemplify.com and @cn.exemplify.com should be placed on top of the left and right gateways, respectively.

Thanks to Richard Bejtlich

180 Typo

In the sample ipsec.secrets file, the indices should read ex1.exemplify.com and ex2.exemplify.com.

Thanks to Shashank Khanvilkar.

185 IP address typo

In the sample host-host configuration file, the IP address set as the rightnexthop should read 10.125.5.1

Thanks to Giovanni Q.

211 Double untar

In the section "Installing pptp-linux", we have you untar and cd twice. This was required for the version of pptp-linux at the time the book was written. Newer versions do not have a tarball within the tarball, so once is sufficient.

233 Options name typo

In the sample pppd options file, the name argument should be pptp, not pptpd, in order to match the chap-secrets syntax.

250 IP address typo

2nd paragraph: "From our network diagram, we see that the tunnel interface on the server side will be configured as 192.168.192.254, on the network as 192.168.254.252."

Should read: "From our network diagram, we see that the tunnel interface on the server side will be configured as 192.168.254.254, on the client side as 192.168.254.253."

Thanks to Ryan Neily

250 IP address

3rd line from the bottom: "route add -net 192.168.2.0/24 gw 192.168.254.254;" Should read: "route add -net 192.168.2.0/24 gw 192.168.254.253;"

Corrections 250,251,253,258,279

Thanks to Jeffrey Taylor

251 Incorrect reference

6th paragraph: "We need to add a single line"

Should read: "We need to add two lines"

253 Netstat output correction

In the "netstat -nr" command output change all occurences of "10.3.0.1" to "192.168.254.254"

258 Typo in vtund command

The "vtund PPP-tunnel 270.8.8.8" command in the middle of the page

Should read: "vtund PPP-tunnel 280.8.8.8"

279 Correction to note on using Cipe

In the note on using Cipe with gated, "The last four lines of the preceding ip-down script show a simple command"

Should read: "The third from the last line of the preceding ip-down script is a simple command"

* Extended list of corrections, first printing


R -- remove
D -- delete
pg. -- paragraph

Example:
R, 3 pg. "AAA" -> "BBB"

Meaning:
Replace "AAA" with "BBB", where "AAA" is in the 3rd paragraph.

-------------------------------------------------------------------------------
Chapter 1
-------------------------------------------------------------------------------

p.xv
R, footnote for the benchmark "The benchmarks are based on the
opinions" -> "The benchmark is based on the opinions"

p.5
D, 3rd pg. "or PKI"

p.6
D, 5th pg. "After many attempts like this, the attacker may be able to
determine the keys being used by the in-place crypto system."
R, 6th pg. "employ a hashing algorithm" -> "employ a cryptographic hashing
algorithm"
R, 6th pg. "output of the hashing algorithm" -> "output of the
cryptographic hashing algorithm"

p.7
R, 1st pg. "VPN technologies utilize" -> "VPN technologies often utilize"
R, 4th pg. "lay in the physical" -> "partly lays in the physical"

p.8
R, 3rd pg. "This means that users" -> "This means that the majority of
users"
D, 4th pg. Note on "A little security history" must be deleted.

p.10
Figure 1.2 -- move "DMZ" inside the ellipse in the top right corner

p.14
Figure 1.3 -- move "DMZ" inside the ellipse in the top right corner

p.16
D, 4th pg., Starting with "Unfortunately, these situations..." and
ending with "usernames, passwords, email, and so on."

p.18
D, 3rd pg. The sentence starting with "In addition, a VPN can protect your
intranet..."

p.21
R, 5th pg. "microware" -> "microwave"
D, 5th pg. "DS-lines (DS1, DS3),"
D, 5th pg. "line of sight,"

p.24
R, 2nd pg. "hashing functions" -> "cryptographic hashing functions"
R, 2nd pg. "Other VPN implementations rely" -> "Other VPN implementations
may rely"

R, 5th pg. "40-bit DES" -> "56-bit DES"

p.25
R, 2nd pg. "0.96b" -> "0.9.6b" (2 occurences)
R, 4th pg. "privacy protocols" -> "privacy mechanisms"

p.29
R, 3rd pg. "Probably the easiest way to implement a VPN is by way of"
-> "One way to implement a VPN is by"
R, 3rd pg. "Usually this is" -> "Usually, this can be"

R, 3rd pg. "it is relatively simple to encrypt this traffic before it is
sent over the wire." -> "it is somewhat easier to tunnel, but keep in mind
that the TCP meltdown effect can occur if you tunnel TCP over TCP (see
Chapter 9, Host-Host CIPE tunneling, for further explanation.)"

D, 5th pg. The sentence beginning with "SSHv1 has a vulnerability ..."

p.30
D, 3rd pg. "such as Checkpoint FW-1 or Cisco PIX,"
R, 3rd pg. "PPTP VPN is not a good idea" -> "might not be a good idea"
R, 7th pg. "specificity" -> "specifics"
R, 8th pg. "between many" -> "and sets up"
D, 8th pg. The sentence beginning with "In IPSec, communications are
authenticated..."
D, 8th pg. The sentence beginning with "In addition, if
confidentiality..."

p.31
R, 6th pg. "In addition, VTun also has" -> "In addition, VTun has"

p.32
R, 5th pg. "supports only the Blowfish cipher" -> "supports both Blowfish
and IDEA ciphers"

-------------------------------------------------------------------------------
Chapter 2
-------------------------------------------------------------------------------

p.33
D, 3rd pg. "/router"

p.34
D, 4th pg. The sentence beginning with "The concept of a gateway..."
D, 4th pg. The sentence beginning with "For example, the router..."
R, 4th pg. "a VPN end-point that sits" -> "A VPN end-point with at least
two interfaces sitting"

p.35
Figure 2.1 -- move "eth0,280.8.8.8" so it is located next to the line
connecting Bears to the Internet cloud
Figure 2.1 -- move "eth0,270.7.7.7" so it is located next to the line
connecting Falcons to the Internet cloud

-------------------------------------------------------------------------------
Chapter 6
-------------------------------------------------------------------------------

p.166
R, 4th pg. "keyring" -> "Security Associations"

R, 5th pg. Replace the two sentences, the first beginning with
"Opportunistic Encryption...", the second beginning with "It also
provides..." with one
->
"Opportunistic Encryption provides easier key management because
encryption key information can be stored in DNS for automatic retrieval
and revocation."

D, 6th pg. ",which means that experimenting with it is a good thing."
R, 6th pg. "It definitely works" -> "However, it definitely works"

p.168, 169
Misplaced labels on Figures 6.2 and 6.3:
10.1.10.50 and 10.125.5.241 should be drawn next to the eth0 (external)
interfaces of the gateways. @de.exemplify.com and @cn.exemplify.com should be
placed on top of the left and right gateways, respectively.

p.171
R, 1st pg. "should remove" -> "may need to remove"
R, 3rd pg. "we can install the modutils" -> "we can install the updated
modutils"

p.178
D, 5th pg. In the last sentence beginning with "Otherwise, your...",
delete the word "cryptographic", do the same in the first sentence
of the following paragraph

p.186
D, In the sentence beginning with "This should be expected...", delete the
word "only"

p.192
R, "The IPSec connection should renegotiate" -> "The IPSec connection
should be renegotiated"

-------------------------------------------------------------------------------
Chapter 8
-------------------------------------------------------------------------------
Replace "de-encapsulated" with "decapsulated" throughout the chapter

p.231
D, 2nd pg. Delete the sentence beginning with "Tunnels work on..."
D, 2nd pg. Delete the sentence beginning with "Packet encapsulation is the
process..."
D, 2nd pg. Delete the sentence beginning with "Tunnel interfaces are
logical"
D, 3rd pg, Delete the first three words -- "As mentioned earlier,"

p.232
R, 2nd pg. "for tunnel transport" -> "by VTun"
R, 3rd pg. "VTun enables the two servers to create a tunnel using TCP or
UDP for the underlying transport" -> ", using TCP or UDP for the
underlying transport."

D, the complete paragraph beginning with "In addition to normal tunnel
behavior"
R, 4th pg. "VTun supports several different types of tunnels" -> "VTun
supports traffic shaping, compression, and several different types of
tunnels."

p.233
D, the sentence beginning with "For every tunnel connection, ..."
D, the sentence beginning with "This further perpetuates the illusion..."

p.236
D, 2nd pg. "is not patented"
D, 3rd pg, -- delete the whole paragraph, except for the 1st sentence
that begins with "Blowfish is a symmetric algorithm..."
D, 4th pg. -- delete the whole paragraph, except for the 1st
sentence that begins with "VTun uses..."
D, 5th pg. -- delete the whole paragraph, except for the 1st sentence that
begins with "For Integrity Protection, VTun uses..."

p.237
R, 5th pg. "UDP tunnels can be used when bandwidth is tight" -> "However,
since UDP does not guarantee packet delivery and does not provide any
flow-control mechanisms, VPN packages in most cases have to implement
these features on top of UDP."

p.250
R, 2nd pg. "From our network diagram, we see that the tunnel interface on
the server side will be configured as 192.168.192.254, on the network as
192.168.254.252." -> "From our network diagram, we see that the tunnel
interface on the server side will be configured as 192.168.254.254, on
the client side as 192.168.254.253."

p.253
R, "65.24.226.1" -> ""

-------------------------------------------------------------------------------
Chapter 9
-------------------------------------------------------------------------------
p.275
-----
R, 3rd pg. "ssh /" -> "ssh"
R, 3rd pg. "stunnel /" -> "stunnel"

Appendix A
----------
1) Move "www.f-secure.com" so it is under the F-Secure VPN+ item
2) Add URL for PGPvpn -- www.pgp.com
3) Insert empty lines before Alcatel, Cisco, Entrust, Lasat Safepipe,
Merilus, and SSH Communications

To be fixed: Some commands in the book are indicated with a bold font
(p.92, for example), while many others are not (p.145, p.170, p.275, p.355
etc.)
Home
Contents
Authors
Reviews
Errata
Colophon
Source Code
Sample Chapter
Suggested Reading
Purchase

New Riders Publishing