Re: linux-ipsec: Info Web-Site and Pluto questions

[I sent this earlier from my main account, but it seems to have failed. Please direct any replies to hugh@mimosa.com]

-----BEGIN PGP SIGNED MESSAGE-----
| From: Kai Martius <admin@imib.med.tu-dresden.de>

| guiding an upcoming article in a german computer magazine* about

Glad to hear this! Too bad I cannot read German.

| Now some questions on Pluto-0.7 to the developers (Hugh couldn't give

You just asked the wrong Hugh :-)

I live in Canada, and my Pluto hasn't been exported from USA, so I may talk about it.

| I've downloaded the announced version 0.7; it compiles well and

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

The changes were made by me. I haven't tried using it with ipsec yet, so it shouldn't be surprising that there is a bug in the #ifdef JI code. On the other hand, I made only cosmetic changes, so any bug should be simple.

| What does the new parameters to "whack" mean (<local subnet> ...)?

I haven't changed whack in any interesting way (from 0.7-alpha). I certainly didn't change the parameters.

The README explains the arguments to whack.

    Whichever port it uses, port + 1 is also used (temporarily) to receive     requests to initiate ISAKMP exchanges. To do that, use the program whack: whack port+1 <remote IP address> <remote ISAKMP daemon port> <ip1> <ip2> <ip3> <ip4> [encrypt] [authenticate] [tunnel]

    Do not issue just tunnel, use it in conjunction with encrypt or authenticate.     More work is needed in allowing for flexible policies. Right now, encrypt     (or encrypt AND authenticate) will try to negotiate a DES-MD5 SA, and     authenticate will try for an AH-SHA1 SA.

    If ip1 is zero (regardless of what the rest of ip? are), pluto will     negotiate IPSEC SAs for the two hosts speaking pluto. If ip1 is non zero,     it is assumed that ip1/ip2 represent the address of the local subnet (and     ip3/ip4 the address of the remote subnet) for which the two daemons are     doing proxy SA establishment. This mode would typically be used in a firewall     environment, where the two firewalls run pluto and establish SAs for the     networks behind them. For example:

    NetA/NetMaskA <---> Fw1 <------- .... ------> Fw2 <---> NetB/NetMaskB

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

    Fw1_prompt> whack 501 Fw2 500 NetA NetMaskA NetB NetMaskB encrypt

    will tell Fw1 to start an exchange with Fw2 on behalf of the two subnets.     Instead of subnets, hosts can be used (replace NetA with HostA and NetMaskA     with 255.255.255.255, similarly for NetB/NetMaskB).

If you read the code, you will see that if ip1 is zero, whack acts as if ip1 is its host address, ip2 is 255.255.255.255, ip3 is its peer's address, and ip4 is 255.255.255.255. In other words, this is just a shortcut requesting an SA for the host to the peer.

I agree that this notation is crude; it will be improved.

| I
| tried to use them for host-to-host-transport-mode ESP setup (netmask

I don't understand your problem description. I am very interested in making this work, so I would like to know more.

I hope to soon have ipsec up in-house so that I can test pluto vs ipsec.

| (The first time I encountered a strange effect: an IP-address in

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Hmmm.

| Another thing (after a quick look at ipsec_doi.c I couldn't

I don't know of this bug report. Angelos can't work on this code because he is in the US. Bug reports are best sent to this list so that everyone knows about them. Even if they turn out not to be bugs, they might interest others.

| >The more serious problem is in ipsecdoi_handle_quick_i1(..); but it

I'll look at this. The "+ 7" isn't in my copy. Off the top of my head, I'd guess that 7 should be changed to blocksize-1 for the particular encryption function. It looks important.

| What are the next planned steps for Pluto?

Good question. Summary: we wish to make it useful and robust. You deserve a longer answer, but I've got to get to bed :-)

Thanks very much for your very useful comments. We appreciate users, especially ones who are willing to be pioneers.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNOqc7cFAuQPManGZAQGlbQP/csBFvFuOmiL+Q0Jt2HsZDOwoAz2lGlSy vxrC6cV8v5Exg9GjDWMNe0JmOEs6cHjG81KIDZNEGKX5vm62bga1umYq1C5NH/Qr JJz4deGIPni8HCCyHP95M4acFc5YDqt72QNEJk/LwBtt5moYpPmUBRt9uXloqOkl bKJTLzrA7aE=
=JaLl
-----END PGP SIGNATURE----- Received on Sun Feb 22 12:12:13 1998