[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FreeS/WAN - isakmpd

To: misc@OpenBSD.org
Subject: Re: FreeS/WAN - isakmpd
From: goony <goony@inwind.it>
Date: Fri, 6 Dec 2002 15:25:26 +0100
Cc: Hakan Olsson <ho@crt.se>
Organization: OpenBEER
References: <20021206100145.37e7bb34.goony@inwind.it> <Pine.BSO.4.40.0212061205470.13837-100000@bloodwine.crt.se>

....
......
.........
> The above should have generated warnings and errors. Please check your
> setup again.

Ok, thanks for your help. This is my setting now on OpenBSD machine:

isakmpd.conf
------------------

[General]
Policy-File=            /etc/isakmpd/isakmpd.policy
Retransmits=    5
Exchange-max-time= 120
Listen-on= 192.168.11.127
Check-interval= 30

[Phase 1]
192.168.11.192=         test

[Phase 2]
#Connections=           hate-test
#Passive-connections=    hate-test

[test]
Phase=                  1
Transport=              udp
Local-address=          192.168.11.127
Address=                192.168.11.192
Configuration=          main-mode
Authentication=         123456789012345

[hate-test]
Phase=                  2
ISAKMP-peer=            test
Configuration=          Default-quick-mode
Local-ID=               Net-hate
Remote-ID=              Net-test

[Net-test]
ID-type=                IPV4_ADDR
Address=                192.168.11.192
Netmask=                255.255.255.255

[Net-hate]
ID-type=                IPV4_ADDR
Address=                192.168.11.127
Netmask=                255.255.255.255

# Certificates stored in PEM format
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

# 3DES
[3DES-SHA]
Life=                   LIFE_180_SECS

[main-mode]
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

and my isakmpd.policy
-------------------------------
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
        $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
        $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:123456789012345"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg == "aes" &&
            esp_auth_alg == "hmac-sha" -> "true";

after run all with /sbin/isakmpd -d -DA=99:

...
.....
.......
152245.201274 Misc 95 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:GROUP_DESCRIPTION->MODP_1024
152245.201303 Misc 95 conf_get_str: configuration value not found [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life
152245.201329 Misc 95 conf_set: [QM-AH-TRP-AES-RIPEMD-PFS-XF]:Life->LIFE_QUICK_MODE
152245.201367 Misc 95 conf_get_str: configuration value not found [Phase 2]:Connections
152245.201393 Misc 95 conf_get_str: configuration value not found [Phase 2]:Passive-Connections
152245.201441 Plcy 30 policy_init: initializing
152245.201472 Misc 95 conf_get_str: [General]:Policy-file->/etc/isakmpd/isakmpd.policy
152245.201671 Misc 95 conf_get_str: [X509-certificates]:CA-directory->/etc/isakmpd/ca/
152245.201718 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/
152245.201794 Cryp 60 x509_read_from_dir: reading certificate ca.crt
152245.203293 Cryp 60 x509_read_from_dir: reading certificate 192.168.11.127.crt
152245.203690 Misc 95 conf_get_str: [X509-certificates]:Cert-directory->/etc/isakmpd/certs/
152245.203721 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/
152245.204163 Cryp 60 x509_read_from_dir: reading certificate 192.168.11.127.crt
152245.204603 Cryp 70 x509_hash_enter: cert 0x116780 added to bucket 8
152245.204631 Cryp 70 x509_hash_enter: cert 0x116780 added to bucket 41
152245.204675 Misc 95 conf_get_str: [X509-certificates]:CRL-directory->/etc/isakmpd/crls/
152245.204699 Cryp 40 x509_read_crls_from_dir: reading CRLs from /etc/isakmpd/crls/
152245.204921 Misc 95 conf_get_str: [General]:Listen-on->192.168.11.127
152245.205001 Misc 95 conf_get_str: [General]:Listen-on->192.168.11.127
152245.205058 Misc 95 conf_get_str: [General]:Listen-on->192.168.11.127
152245.205115 Misc 95 conf_get_str: [General]:Listen-on->192.168.11.127
152245.205171 Misc 95 conf_get_str: [General]:Listen-on->192.168.11.127
152245.206235 Trpt 70 transport_add: adding 0x19dfc0
152245.206262 Trpt 95 transport_reference: transport 0x19dfc0 now has 1 references
152245.206307 Trpt 70 transport_add: adding 0x117280
152245.206332 Trpt 95 transport_reference: transport 0x117280 now has 1 references
152245.206378 Trpt 70 transport_add: adding 0x1172c0
152245.206403 Trpt 95 transport_reference: transport 0x1172c0 now has 1 references

and if ping between two host, this is output of the tcpdump of third machine... it' in clear... :((
16:16:23.018913 hate.intranet > 192.168.11.192: icmp: echo request
16:16:23.019041 192.168.11.192 > hate.intranet: icmp: echo reply
16:16:24.025702 hate.intranet > 192.168.11.192: icmp: echo request
16:16:24.025790 192.168.11.192 > hate.intranet: icmp: echo reply

  tia, 
	goony

-- 
KeyID: 1024D/1CDA1B3D
Fingerprint: CDF5 5246 D424 CF61 0330  A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: http://www.OpenBEER.it/keys/goony.gpg

Follow-Ups:
- Re: FreeS/WAN - isakmpd
  - From: Andrew Rucker Jones <arjones@simultan.dyndns.org>
- Re: FreeS/WAN - isakmpd
  - From: Hakan Olsson <ho@crt.se>

References:
- FreeS/WAN - isakmpd
  - From: goony <goony@inwind.it>
- Re: FreeS/WAN - isakmpd
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: Re: FreeS/WAN - isakmpd
Next by Date: Re: FreeS/WAN - isakmpd
Prev by thread: Re: FreeS/WAN - isakmpd
Next by thread: Re: FreeS/WAN - isakmpd
Index(es):
- Date
- Thread