[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMPD configuration problem



Hello,

I've cooked up a textbook configuration between two of my machines
that works insofar as netstat displays the "right" routes. No traffic
passes through, and also the logs show that some parameters are still
wrong. All I test is between two 3.0-stable boxen as my private test
bed.

What I could not solve so far is the special required configuration
someone asked me to do (in short: behave like w2k):

a - use compression
b - use 3DES
c - use MD5
d - use PFS
e - use DH group 2
f - and MODP_1024

So far my understanding is that (e) and (f) is the same, and having
any DH group (1 or 2) implies (d). The man page is not as clear
as possible about combining (c) and (f) although it suggests that
this can be configured if one strays aside of the default suites
defined. As to where I could enable (which?) compression, I didn't
find other references to it than in isakmpd.policy(5). So there
appears to be no way to suggest compression or disable compression
in one's own configuration file when initiating a connection but
only a way to reject connections that offer some compression
(not between 2 OBSD boxen, then).

Don't know if/how any of this can be applied to phase 1,
though :(

After reading some archives and example configurations and stumbling
across Hakan's very useful debugging tips, I arrived at this:

/etc/isakmpd/isakmpd.policy:

-------
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" && pfs == "yes" &&
        esp_present == "yes" && ah_present == "no" &&
	        esp_enc_alg == "3des" -> "true";
-------


Looking into the logged packets from isakmpd, I see
"GROUP_DESCRIPTION: 1" instead of the desired "GROUP_DESCRIPTION: 2".


The portion in my isakmpd.conf where I tried to switch on DH group 2
looks like this:


[Default-quick-mode]
EXCHANGE_TYPE=                          QUICK_MODE
Suites=                                 QM-ESP-3DES-MD5-PFS-SUITE

[Default-main-mode]
EXCHANGE_TYPE=                          ID_PROT
Transforms=                             3DES-MD5

[QM-ESP-3DES-MD5-PFS-SUITE]
GROUP_DESCRIPTION=              MODP_1024

[3DES-MD5]
GROUP_DESCRIPTION=              MODP_1024



Any hints, corrections etc are welcome!


Best,
--Toni++



Visit your host, monkey.org