[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FreeS/WAN - isakmpd

Hi all,
sorry for my bad english...! :(
I use a OpenBSD 3.2-stable (GENERIC) on i386.
I'm trying to settina a host-to-host vpn with my OpenBSD and Linux (Trustix Secure Linux
1.5 with kernel 2.4.18 and FreeS/WAN 1.99). I use many and many configurations...
but not run... For the test I've three machine and one hub: two OpenBSD (one to snif packets)
and one Trustix. I've read with attention OpenBSD man and faq pages.
I've read the "Interoperating" pages in FreeS/WAN documentation and the config examples proposed.
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/interop.html#isakmpd.

Report below one of the many my experiments... 
Where are my errors? Someone have to send me a good configuration? Thanks!

On Trustix:

- ipsec.conf
---------------

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
conn %default
        keyingtries=0
        spi=0x200

conn hate-test
        auto=start
        type=tunnel
        left=192.168.11.192
        right=192.168.11.127
        keyexchange=ike
        ikelifetime=1h
        keyingtries=5
        keylife=5m
        rekeymargin=4m
        rekeyfuzz=25%
        pfs=yes


- ipsec.secrets
-------------------

192.168.11.192 192.168.11.127: PSK "123456789012345"

on OpenBSD

- isakmpd.conf
--------------------

[General]
Policy-File=            /etc/isakmpd/isakmpd.policy
Retransmits=    5
Exchange-max-time= 120
Listen-on= 192.168.11.127
Check-interval= 1

[Phase 1]
192.168.11.192=         test

[Phase 2]
#Connections=           hate-test
Passive-connections=    hate-test

[test]
Phase=                  1
Transport=              udp
Local-address=          192.168.11.127
Address=                192.168.11.192
Configuration=          main-mode
Authentication=         123456789012345

[hate-test]
Phase=                  2
ISAKMP-peer=            test
Configuration=          Default-quick-mode
Local-ID=               Net-hate
Remote-ID=              Net-test

[Net-test]
ID-type=                IPV4_ADDR
Address=                192.168.11.192
Netmask=                255.255.255.255

[Net-hate]
ID-type=                IPV4_ADDR
Address=                192.168.11.127
Netmask=                255.255.255.255

# Certificates stored in PEM format
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

# Main mode transforms
########################
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM=   3DES_CBC 
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_180_SECS

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_180_SECS


# Quick mode description
########################

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE


# Quick mode protection suites
##############################
# 3DES

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=              QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=              QM-ESP-3DES-MD5-PFS

[QM-ESP-3DES-SHA-SUITE]
Protocols=              QM-ESP-3DES-SHA

[QM-ESP-3DES-MD5-SUITE]
Protocols=              QM-ESP-3DES-MD5

# Quick mode protocols
#############################
# 3DES

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-XF

[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF

[QM-ESP-3DES-MD5]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-XF

# Quick mode transforms
#############################
# 3DES

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICAION_ALGORITHM=        HMAC_MD5
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[LIFE_8_HOURS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          28800,25200:32400

[LIFE_1_DAY]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          86400,79200:93600

[LIFE_180_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          180,120:240

[LIFE_3600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200


- isakmpd.policy
-----------------------

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:123456789012345"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            initiator == "yes" &&
            esp_enc_alg != "null" &&
            ah_enc_alg != "null" &&
            phase_1 == "main" -> "true";


I no have log errors.... but the traffic isn't crypt... :(

   tia, 
 
         goony
-- 
KeyID: 1024D/1CDA1B3D
Fingerprint: CDF5 5246 D424 CF61 0330  A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: http://www.OpenBEER.it/keys/goony.gpg
Visit your host, monkey.org