[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FreeS/WAN - isakmpd

To: goony <goony@inwind.it>, misc@openbsd.org
Subject: Re: FreeS/WAN - isakmpd
From: Andrew Rucker Jones <arjones@simultan.dyndns.org>
Date: Fri, 06 Dec 2002 15:20:08 +0100
Organization: Private Individual
References: <20021206100145.37e7bb34.goony@inwind.it>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
What Hakan Olsson wrote is good stuff, but i think i can add a little 
something, having just set up OpenBSD and FreeS/WAN together in the last 
two days (for the second time).
	First of all, if You can get us a tcpdump trace, that would help a 
whole lot. Then we would at least know if it's breaking down in phase 1 
or phase 2, and we might be able to glean even more information than that.
	Second, the point about initiator=="yes" in isakmpd.policy is 
important. In the configuration You sent, OpenBSD is NOT the initiator.
	Third, get rid of the ah_enc_alg!="null". The parameter is ah_hash_alg, 
and You aren't even using AH, so this policy will always fail.
	Along the piddling little things to try line, try getting rid of the 
conn %default section to see if that helps. Additionally, get rid of the 
Netmask=255.255.255.255 entries in isakmpd.conf, as they're unnecessary. 
Neither should make a difference, but...
	If that doesn't fix it, come back and give us more information.

			-&
	



goony wrote:
> Hi all,
> sorry for my bad english...! :(
> I use a OpenBSD 3.2-stable (GENERIC) on i386.
> I'm trying to settina a host-to-host vpn with my OpenBSD and Linux (Trustix Secure Linux
> 1.5 with kernel 2.4.18 and FreeS/WAN 1.99). I use many and many configurations...
> but not run... For the test I've three machine and one hub: two OpenBSD (one to snif packets)
> and one Trustix. I've read with attention OpenBSD man and faq pages.
> I've read the "Interoperating" pages in FreeS/WAN documentation and the config examples proposed.
> http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/interop.html#isakmpd.
> 
> Report below one of the many my experiments... 
> Where are my errors? Someone have to send me a good configuration? Thanks!
> 
> On Trustix:
> 
> - ipsec.conf
> ---------------
> 
> config setup
>         interfaces="ipsec0=eth0"
>         klipsdebug=none
>         plutodebug=none
>         plutoload=%search
>         plutostart=%search
>         plutowait=no
> conn %default
>         keyingtries=0
>         spi=0x200
> 
> conn hate-test
>         auto=start
>         type=tunnel
>         left=192.168.11.192
>         right=192.168.11.127
>         keyexchange=ike
>         ikelifetime=1h
>         keyingtries=5
>         keylife=5m
>         rekeymargin=4m
>         rekeyfuzz=25%
>         pfs=yes
> 
> 
> - ipsec.secrets
> -------------------
> 
> 192.168.11.192 192.168.11.127: PSK "123456789012345"
> 
> on OpenBSD
> 
> - isakmpd.conf
> --------------------
> 
> [General]
> Policy-File=            /etc/isakmpd/isakmpd.policy
> Retransmits=    5
> Exchange-max-time= 120
> Listen-on= 192.168.11.127
> Check-interval= 1
> 
> [Phase 1]
> 192.168.11.192=         test
> 
> [Phase 2]
> #Connections=           hate-test
> Passive-connections=    hate-test
> 
> [test]
> Phase=                  1
> Transport=              udp
> Local-address=          192.168.11.127
> Address=                192.168.11.192
> Configuration=          main-mode
> Authentication=         123456789012345
> 
> [hate-test]
> Phase=                  2
> ISAKMP-peer=            test
> Configuration=          Default-quick-mode
> Local-ID=               Net-hate
> Remote-ID=              Net-test
> 
> [Net-test]
> ID-type=                IPV4_ADDR
> Address=                192.168.11.192
> Netmask=                255.255.255.255
> 
> [Net-hate]
> ID-type=                IPV4_ADDR
> Address=                192.168.11.127
> Netmask=                255.255.255.255
> 
> # Certificates stored in PEM format
> [X509-certificates]
> CA-directory=           /etc/isakmpd/ca/
> Cert-directory=         /etc/isakmpd/certs/
> Private-key=            /etc/isakmpd/private/local.key
> 
> # Main mode transforms
> ########################
> # 3DES
> [3DES-SHA]
> ENCRYPTION_ALGORITHM=   3DES_CBC 
> HASH_ALGORITHM=         SHA
> AUTHENTICATION_METHOD=  PRE_SHARED
> GROUP_DESCRIPTION=      MODP_1024
> Life=                   LIFE_180_SECS
> 
> [3DES-MD5]
> ENCRYPTION_ALGORITHM=   3DES_CBC
> HASH_ALGORITHM=         MD5
> AUTHENTICATION_METHOD=  PRE_SHARED
> GROUP_DESCRIPTION=      MODP_1024
> Life=                   LIFE_180_SECS
> 
> 
> # Quick mode description
> ########################
> 
> [Default-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
> 
> 
> # Quick mode protection suites
> ##############################
> # 3DES
> 
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=              QM-ESP-3DES-SHA-PFS
> 
> [QM-ESP-3DES-MD5-PFS-SUITE]
> Protocols=              QM-ESP-3DES-MD5-PFS
> 
> [QM-ESP-3DES-SHA-SUITE]
> Protocols=              QM-ESP-3DES-SHA
> 
> [QM-ESP-3DES-MD5-SUITE]
> Protocols=              QM-ESP-3DES-MD5
> 
> # Quick mode protocols
> #############################
> # 3DES
> 
> [QM-ESP-3DES-SHA-PFS]
> PROTOCOL_ID=            IPSEC_ESP
> Transforms=             QM-ESP-3DES-SHA-PFS-XF
> 
> [QM-ESP-3DES-SHA]
> PROTOCOL_ID=            IPSEC_ESP
> Transforms=             QM-ESP-3DES-SHA-XF
> 
> [QM-ESP-3DES-MD5-PFS]
> PROTOCOL_ID=            IPSEC_ESP
> Transforms=             QM-ESP-3DES-MD5-PFS-XF
> 
> [QM-ESP-3DES-MD5]
> PROTOCOL_ID=            IPSEC_ESP
> Transforms=             QM-ESP-3DES-MD5-XF
> 
> # Quick mode transforms
> #############################
> # 3DES
> 
> [QM-ESP-3DES-SHA-PFS-XF]
> TRANSFORM_ID=                   3DES
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICATION_ALGORITHM=       HMAC_SHA
> GROUP_DESCRIPTION=              MODP_1024
> Life=                           LIFE_3600_SECS
> 
> [QM-ESP-3DES-SHA-XF]
> TRANSFORM_ID=                   3DES
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICATION_ALGORITHM=       HMAC_SHA
> GROUP_DESCRIPTION=              MODP_1024
> Life=                           LIFE_3600_SECS
> 
> [QM-ESP-3DES-MD5-PFS-XF]
> TRANSFORM_ID=                   3DES
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICATION_ALGORITHM=       HMAC_MD5
> GROUP_DESCRIPTION=              MODP_1024
> Life=                           LIFE_3600_SECS
> 
> [QM-ESP-3DES-MD5-XF]
> TRANSFORM_ID=                   3DES
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICAION_ALGORITHM=        HMAC_MD5
> GROUP_DESCRIPTION=              MODP_1024
> Life=                           LIFE_3600_SECS
> 
> [LIFE_8_HOURS]
> LIFE_TYPE=              SECONDS
> LIFE_DURATION=          28800,25200:32400
> 
> [LIFE_1_DAY]
> LIFE_TYPE=              SECONDS
> LIFE_DURATION=          86400,79200:93600
> 
> [LIFE_180_SECS]
> LIFE_TYPE=              SECONDS
> LIFE_DURATION=          180,120:240
> 
> [LIFE_3600_SECS]
> LIFE_TYPE=              SECONDS
> LIFE_DURATION=          3600,1800:7200
> 
> 
> - isakmpd.policy
> -----------------------
> 
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right password
> Authorizer: "POLICY"
> Licensees: "passphrase:123456789012345"
> Conditions: app_domain == "IPsec policy" &&
>             esp_present == "yes" &&
>             initiator == "yes" &&
>             esp_enc_alg != "null" &&
>             ah_enc_alg != "null" &&
>             phase_1 == "main" -> "true";
> 
> 
> I no have log errors.... but the traffic isn't crypt... :(
> 
>    tia, 
>  
>          goony


-- 
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
References:
- FreeS/WAN - isakmpd
  - From: goony <goony@inwind.it>
Prev by Date: Re: Problems with (ws)mice, KVM switches - working configuration
Next by Date: Re: FreeS/WAN - isakmpd
Prev by thread: Re: "FreeS/WAN - isakmpd" it works!! :)
Next by thread: Re: license issue (fwd)
Index(es):
- Date
- Thread