Impulsive?

new and silly

My old T-Mobile G2 (HTC Desire Z) is falling apart. It has no touch sensitivity on the left side of the screen. The microsd card slot is broken, so the usd card falls out or loses connectivity regularly. The back won’t latch properly. Yesterday there were some Google app updates, and they caused my phone to be completely useless until I uninstalled Google Voice. Then it had three of the random recurring reboots I’ve just become accustomed to. I’ve had it for two years. I’m hard on my devices.

In a fit of frustration, I went to the T-Mobile store to see if they had either a Nexus 4 or a Nokia Lumia 810. No Nexus 4 (not really a surprise, but thought I’d ask). But they had a Lumia 810.

Now I have a Lumia 810.

While I bought it, I’m still not entirely convinced I wanted to move from Android to Windows Phone 8. I have decided that if I get another Android phone, it will be an unlocked Google phone. None of this carrier nonsense, with no OS patches. None of this manufacturer nonsense with bullshit half-assed UIs. For now though, this Lumia is the new hotness.

That said, the initial booting of the 810 was not a good experience.

First, it threw an FFFFFE70 error when I entered my Microsoft account (my Microsoft account was created from my hotmail/xbox live account when I got the Surface RT so this was an existing Microsoft account).

We weren’t able to activate your phone. If you call support, you can mention this error code, which can help them to figure out the problem: FFFFFE70

Initially I thought maybe I had entered a typo. So I tested it. In testing I intentionally added a typo and it actually gave me a ‘username or password incorrect’ error instead of the FFFFFE70 error, so that was not it.

I thought perhaps it was just an intermittent issue, or perhaps I had lost cell connectivity at the time, so I tried adding the account a handful of times after verifying network connectivity. Every single time I attempted to enter my Microsoft account credentials, it gave me that error. Even after a reboot.

A phone is pretty useless without your contacts and email!

I finally did a hard reset (start screen, swipe to left, settings, about, reset your phone, read warning, yes, yes) and went through the initial setup again. This time when I entered my Microsoft account information, it simply took a minute or so, authenticated me and configured the phone with that information.

I have no idea what happened or why this happened.

The second thing is that when setting up the phone for the first time, it takes a LONG time. It took about 10 minutes. The phone lets you know: it has a dialog up with a greyed-out button that says it’s configuring applications and it is going to take a few minutes (implied “leave it be!”). When this happened on the initial setup, I thought the phone had crashed. The second time, I knew it was just how it is and it finished up in about the same span of time. This is no big deal, but might be a bit off-putting if you aren’t expecting it to take so long.

Those two initial experiences aside, the phone is alright. I’m hoping to have some details on switching from an Android phone to a Windows 8 Phone. So far that has actually been a little easier than I expected.

NaBloPoMo?

I usually try to participate in National Blog Post Month every November since I generally don’t have the time to do NaNoWriMo. I’m not entirely convinced I am up for NoBloPoMo this month either, but I’m cool with failure.

I’m typing this on my new tablet, a Microsoft Surface RT. The TouchCover allows me to actually use it to type for real. In general it feels like a more complete tablet to me. I can access diagnostics and do more of the things I missed being able to do on my rooted Nook Color,

mobile device combo

Admittedly, the limitations I feel with my Nook are very jess-specific and probably don’t bother many other people. But it’s nice to create and… play some Jetpack Joyride (available on iOS, Android, and various Windows).

VS 2010 & SSMS 2008 Job Activity Monitor

We recently got new development machines at work. 64-bit, Windows 7. We’re primarily a Windows shop. Most new development is in .NET and the databases are all various versions of SQL Server.

We recently did a big upgrade from SQL2000 to SQL2008, so we get to use the shiny new SQL Server 2008 Management Studio which does a whole lot of things that the SQL2k tools did not do well (though I still miss certain things and have all of the tools installed).

Well, Visual Studio 2010 just came out and since we were installing new software on our new development machines anyway, we decided we may as well bite the bullet, install it and convert our applications to VS2010. This went fairly well for me, though I know one of my teammates had to rewrite a lot of code for VS2010.

Except. There’s always an except, isn’t there?

For some reason, we are now getting an error when we try to launch the super-useful Job Activity Monitor in SQL Server Management Studio 2008. It was working prior to installing Visual Studio 2010. It is no longer working. When we attempt to launch it, it throws this error:

Cannot show requested dialog.

Additional Information:
Unable to execute requested command.
jobs (SqlManagerUI)

There are a couple of mentions of this error here and here.

I believe what happened is that VS2010 installs (either by default or we selected it) some SQL tools as part of its install. Those tools whack out the preexisting full version of SSMS either by replacing DLLs it uses or registry tweaks or something else.

In attempts to fix it, one of my teammates attempted to run a “repair” of SQL Server Management Studio 2008 which did not solve the problem. Then he uninstalled just the “Microsoft SQL Server 2008 (64 bit)” program through Add/Remove Programs and re-installed it… which also did not work.

I went through and uninstalled everything listed as “SQL Server 2008″ in my programs including but not limited to: Microsoft SQL Server 2008 (64 bit), Microsoft SQL Server 2008 Books Online (English), Microsoft SQL Server 2008 Native Client, Microsoft SQL Server 2008 Policies, Microsoft SQL Server 2008 Setup Support Files (English), Microsoft SQL Server 2008 R2 Data-Tier Application Framework, Microsoft SQL Server 2008 R2 Data-Tier Application Project, Microsoft SQL Server 2008 R2 Management Objects, Microsoft SQL Server 2008 R2 Management Objects (x64), Microsoft SQL Server 2008 R2 Transact SQL Language Service, and Microsoft SQL Server 2008 Setup Support Files.

I rebooted (though it did not suggest I do so) and re-installed SQL Server 2008 completely. My job activity monitor was again functioning properly. So, install Visual Studio 2010 first, then install SSMS if you want to have a functional SSMS Job Activity Monitor.

[aside: I installed SQL Server 2008 SP1 afterward and the Job Activity Monitor still works.]

I have no idea if this is going to re-break when I install the next VS update or if this is all bad practice but it is working for me.

Ubuntu, Sonicwall, and OpenSwan – Final

I did get it to work and was able to use tsclient to connect to my Windows 7 development box in the office. Success! Now when my laptop finally dies I can replace it with something not running Windows and still work from it!

In the end, I fixed two of my own typos — one in the shared secret, one in the gateway for rightsubnet — and two configuration settings in my \etc\ipsec.conf.

Key Issues for me:


  • it seems SOME Sonicwalls require your leftid to be set to “@GroupVPN.” I know I have seen this in the Sonicwall Global VPN client (Windows) as well. I didn’t expect that to be an issue so this was a surprising fix to me.

  • the IKE DH Group is REALLY IMPORTANT. The examples all suggest just setting it to 3DES-SHA1. That did not work for my DH group 2. This post on ubuntuforums does note the Group 2 (and 5) settings for IKE.

Other potentially useful notes, some of which were problems for me and some that were not:


  • sudo ipsec auto --listall will show the Pre-Shared Keys defined (not the key itself, just the players+communications defined).

  • sudo ipsec auto --status may give you slightly more information about what’s going on.

  • after editing /etc/ipsec.conf, don’t forget to refresh the configuration: sudo ipsec auto --replace sonicwall

  • don’t forget to tab in the /etc/ipsec.conf settings for the connection.

  • Got your tunnel configured and connected but can’t do anything? Maybe you need to enable IP forwarding. Check to see if it’s already set up by either using sysctl (0 = disabled, 1=enabled):
    sysctl net.ipv4.ip_forward
    or by checking /proc directly:
    cat /proc/sys/net/ipv4/ip_forward
    here’s how to fix it temporarily or permanently.

In the end, my final /etc/ipsec.conf looks something like this:

conn sonicwall
  type=tunnel
  left=192.168.XXX.XXX # my ubuntu machine IP
  leftid=@GroupVPN # this is REQUIRED to connect to our Sonicwall appliance
  leftxauthclient=yes
  right=XXX.XXX.XXX.XXX # IP of the Sonicwall
  rightsubnet=192.168.3.0/24 # the OFFICE subnet, not HOME like some documentation said
  rightxauthserver=yes
  rightid=@000123456789 # the Sonicwall appliance ID
  keyingtries=1
  pfs=no
  aggrmode=yes
  auto=add
  auth=esp
  esp=3DES-SHA1
  ike=3DES-SHA1-modp1024 # DH GROUP 2
  authby=secret # set up in /etc/ipsec.secrets
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/oe-exclude-dns.conf

Hooray! Also I would like to say that I am rather impressed with Ubuntu 10.04 after using it for a few hours working on this.

Ubuntu, Sonicwall, and OpenSwan Part 2

In the process of getting an Ubuntu 10.04 machine to connect to a Sonicwall appliance at my office (part 0), I followed documentation and ran into an error of “Informational Exchange message must be encrypted (part 1).”

I did a lot of searching on the error, but mostly came up with other people having the error and not finding a solution. I started tinkering with settings to see if I could get other error messages that might be more helpful.

First, I edited /etc/ipsec.conf to turn off aggressive mode:
aggrmode=no

This gave me a different error:
Possible authentication failure: no acceptable response to our first encrypted message

Ah ha! That led me to re-check my shared secret in /etc/ipsec.secrets where I found a typo. Then I re-checked /etc/ipsec.conf and concluded that I misunderstood the documentation and clearly the rightsubnet should be my OFFICE subnet, not my home subnet.

I refreshed my ipsec connection settings sudo ipsec auto --replace sonicwall and tried again.

A new error, it just hung here:
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

I searched around for this and happened across this post on ubuntuforums that indicated that the user had to set the leftid (local Ubuntu machine id) to @GroupVPN [and it's case-sensitive]. Odd, I thought, but I tried it, changing it in /etc/ipsec.conf and /etc/ipsec.secrets.

Sure enough, another new error!

003 "sonicwall" #1: next payload type of ISAKMP Hash Payload has an unknown value: 112
[note: this unknown value changed regularly, it was NOT always 112.]

At this point I got excited because I knew I was at least talking to the Sonicwall appliance and we were just having trouble understanding one another. I started focusing on key exchange/IKE and I happened to come across a few notes about IKE DH Group 5 requiring an edit to /etc/ipsec.conf to change the setting for ike to ike=3DES-SHA1-modp1536.

Me to self, “Hm. We’re DH2. That’s 1024 bits. Since Group 5 is 1536 bits and this says it should be set to 3DES-SHA1-modp1536, let me try setting ike=3DES-SHA1-modp1024.”

I updated and it seemed to connect but never asked me for my authentication information, it just hung here:
003 "sonicwall" #1: malformed payload in packet
002 "sonicwall" #1: sending notification PAYLOAD_MALFORMED to XXX.XXX.XXX.XXX:XXXX

I hrmed a bit more — so close! — and remembered that I still had aggressive mode off. I popped into /etc/ipsec.conf and turned it back on. aggrmode=yes

I updated the connection and tried to open it again:
xantha@moloko:~$ sudo ipsec auto --replace sonicwall
xantha@moloko:~$ sudo ipsec whack --name sonicwall --initiate

Success! It prompted me for a username and password, I supplied it, we were authenticated! (some parts redacted here)
041 "sonicwall" #1: sonicwall prompt for Username:
Name enter: USERID
040 "sonicwall" #1: sonicwall prompt for Password:
Enter secret:
002 "sonicwall" #1: XAUTH: Answering XAUTH challenge with user='USERID'
002 "sonicwall" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "sonicwall" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "sonicwall" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
003 "sonicwall" #1: received and ignored informational message
002 "sonicwall" #1: XAUTH: Successfully Authenticated

Woo hoo!

[aside: some of the errors may have been due to things being repaired in the order I repaired them... hard to say. I just know what errors I got and what steps I took to resolve them. YMMV of course. ]

Ubuntu, Sonicwall, and OpenSwan Part 1

I am attempting to get OpenSwan on Ubuntu 10.04 to connect to a Sonicwall appliance at my Windows-centric office so I can work remotely from an Ubuntu-based laptop (read part 0).

I resurrected one of my old machines (20th anniversary shuttle), discovered the hard drive was shot, found an old 60GB IBM DeskStar EIDE hard drive lying around, popped it in, and installed Ubuntu 10.04, then installed OpenSwan a la
sudo apt-get install openswan

No issues with that install.

I edited /etc/ipsec.conf as specified by OpenSwan:

conn sonicwall
   type=tunnel
   left=XXX.XXX.XXX.XXX #my ubuntu machine IP
   leftid=@home
   leftxauthclient=yes
   right=xxx.xxx.xxx.xxx #IP address of my sonicwall router
   rightsubnet=192.168.X.0/24 #office subnet
   rightxauthserver=yes
   rightid=@sonicwall.unique.identifier #this ID is listed in the sonicwall admin interface
   keyingtries=0
   pfs=yes
   aggrmode=yes
   auto=add
   auth=esp
   esp=3DES-SHA1
   ike=3DES-SHA1
   authby=secret

Then I went into /etc/ipsec.secrets and added the secret code to it:
@home @sonicwall.unique.identifer : PSK "sooper.secret.shared.secret.key"

I started the connection up and opened it. Well, crappers:
xantha@moloko:~$ sudo ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-22-generic-pae...
xantha@moloko:~$ sudo ipsec auto --replace sonicwall
xantha@moloko:~$ sudo ipsec whack --name sonicwall --initiate
003 "sonicwall" #1: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
002 "sonicwall" #1: initiating Aggressive Mode #1, connection "sonicwall"
003 "sonicwall" #1: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #1: transform (5,2,2,0) ignored.
112 "sonicwall" #1: STATE_AGGR_I1: initiate
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 20s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response
003 "sonicwall" #1: Informational Exchange message must be encrypted
010 "sonicwall" #1: STATE_AGGR_I1: retransmission; will wait 40s for response

Informational Exchange message must be encrypted, huh. Whatever can that mean?

Ubuntu, Sonicwall, and OpenSwan, Part 0

I’ve worked for the same company since 2004. They are based in the DC area. When I moved back to Seattle in 2008, I became a remote employee and it works out fairly well (though I admit I miss being in the office sometimes!).

My laptop is 4+ years old now and starting to show signs of impending death. I’d like to replace it with a non-Windows, non-OS X laptop (be it some flavor of Linux or FreeBSD or whatever). I think this will help me work on some of my side code projects.

However, due to my remote employee status, I definitely need it to be able to connect to the office vpn and our Windows-based servers and my Windows-based development machine. Caveat: I do not want to use a VM for this.

So after some searching, I see a lot of people are using OpenSwan to connect to a Sonicwall appliance from Ubuntu (pelago, openswan, ghacks).

I am going to try it out.