Hosting Provided By

FreeS/WAN - isakmpd

From: goony <goony(at)inwind.it>
Date: Fri Dec 06 2002 - 04:01:45 EST

Hi all,
sorry for my bad english...! :(
I use a OpenBSD 3.2-stable (GENERIC) on i386. I'm trying to settina a host-to-host vpn with my OpenBSD and Linux (Trustix Secure Linux 1.5 with kernel 2.4.18 and FreeS/WAN 1.99). I use many and many configurations... but not run... For the test I've three machine and one hub: two OpenBSD (one to snif packets) and one Trustix. I've read with attention OpenBSD man and faq pages. I've read the "Interoperating" pages in FreeS/WAN documentation and the config examples proposed. http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/interop.html#isakmpd.

Report below one of the many my experiments... Where are my errors? Someone have to send me a good configuration? Thanks!

On Trustix:

ipsec.conf

config setup

        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
conn %default
        keyingtries=0
        spi=0x200

conn hate-test
        auto=start
        type=tunnel
        left=192.168.11.192
        right=192.168.11.127
        keyexchange=ike
        ikelifetime=1h
        keyingtries=5
        keylife=5m
        rekeymargin=4m
        rekeyfuzz=25%
        pfs=yes

ipsec.secrets

192.168.11.192 192.168.11.127: PSK "123456789012345" on OpenBSD

isakmpd.conf

[General]

Policy-File= /etc/isakmpd/isakmpd.policy Retransmits= 5
Exchange-max-time= 120
Listen-on= 192.168.11.127
Check-interval= 1

[Phase 1]

192.168.11.192= test

[Phase 2]

#Connections= hate-test
Passive-connections= hate-test

Do you need help?

[test]

Phase=                  1
Transport=              udp
Local-address=          192.168.11.127
Address=                192.168.11.192
Configuration=          main-mode
Authentication=         123456789012345


[hate-test]


Phase=                  2
ISAKMP-peer=            test
Configuration=          Default-quick-mode
Local-ID=               Net-hate
Remote-ID=              Net-test


[Net-test]


ID-type=                IPV4_ADDR
Address=                192.168.11.192
Netmask=                255.255.255.255


[Net-hate]


ID-type=                IPV4_ADDR
Address=                192.168.11.127
Netmask=                255.255.255.255

# Certificates stored in PEM format
[X509-certificates]

CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

# Main mode transforms

########################
# 3DES
[3DES-SHA]

ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED

GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_180_SECS

[3DES-MD5]

ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED

GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_180_SECS

# Quick mode description

########################

[Default-quick-mode]


DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE


# Quick mode protection suites
##############################

# 3DES
[QM-ESP-3DES-SHA-PFS-SUITE]

Protocols= QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS

[QM-ESP-3DES-SHA-SUITE]
Protocols= QM-ESP-3DES-SHA

[QM-ESP-3DES-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5

# Quick mode protocols
#############################
# 3DES


[QM-ESP-3DES-SHA-PFS]


PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-PFS-XF


[QM-ESP-3DES-SHA]


PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-SHA-XF

[QM-ESP-3DES-MD5-PFS]


PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek

[QM-ESP-3DES-MD5]


PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-XF

# Quick mode transforms
#############################

# 3DES
[QM-ESP-3DES-SHA-PFS-XF]

TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-SHA-XF]


TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-MD5-PFS-XF]


TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS

[QM-ESP-3DES-MD5-XF]


TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICAION_ALGORITHM=        HMAC_MD5
GROUP_DESCRIPTION=              MODP_1024
Life=                           LIFE_3600_SECS


[LIFE_8_HOURS]


LIFE_TYPE=              SECONDS
LIFE_DURATION=          28800,25200:32400


[LIFE_1_DAY]


LIFE_TYPE=              SECONDS
LIFE_DURATION=          86400,79200:93600

[LIFE_180_SECS]


LIFE_TYPE=              SECONDS
LIFE_DURATION=          180,120:240


[LIFE_3600_SECS]


LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200

isakmpd.policy

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password Authorizer: "POLICY"
Licensees: "passphrase:123456789012345"
Conditions: app_domain == "IPsec policy" &&

            esp_present == "yes" &&
            initiator == "yes" &&
            esp_enc_alg != "null" &&
            ah_enc_alg != "null" &&

phase_1 == "main" -> "true";

Can we help you?

I no have log errors.... but the traffic isn't crypt... :(

tia,

goony

-- 
KeyID: 1024D/1CDA1B3D
Fingerprint: CDF5 5246 D424 CF61 0330  A516 93F9 4D38 1CDA 1B3D
GnuPG PubKey: 
http://www.OpenBEER.it/keys/goony.gpg

Received on Fri Dec 6 04:03:54 2002

This message: [ Message body ]
Next message: A. Farber: "Re: cannot find manpage for 3c509 driver - how to specify "fullduplex " as mediaoption in hostname.if for this NIC ?"
Previous message: Craig Hammond: "Re: Secure Syslog"
In reply to Steve Cardinal: "isakmpd excessive logging"
Next in thread: Hakan Olsson: "Re: FreeS/WAN - isakmpd"
Reply: Hakan Olsson: "Re: FreeS/WAN - isakmpd"
Reply: Andrew Rucker Jones: "Re: FreeS/WAN - isakmpd"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:31:53 EDT