Date: Tue, 18 Dec 2001 09:37:00 -0000 From: "Tariq Rashid" <tariq@inty.net> To: "Marco Walraven" <walraven@fearlabs.com> Cc: <freebsd-security@freebsd.org> Subject: RE: isakmpd & ssh sentinel Message-ID: <MPENKFCCIIDAJKJJOLBHEEGICEAA.tariq@inty.net> In-Reply-To: <20011217183701.B62958@enigma.whacky.net>
next in thread | previous in thread | raw e-mail | index | archive | help
add the following to the Makefile... # following by TR ... CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE this sets isakmpd to allow aggressive mode and also to send the config to the laptops (like a kind of dhcp where the isakmpd server tells the laptop its ip, gateway, nameserver, wins server etc...) ... have a look at: -------------------------------------------------------- # aggressive users ... [user-b@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-B Flags= Stayalive [user-a@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-A Flags= Stayalive [user-win2k@inty.net] Phase= 1 Transport= udp Configuration= Default-aggressive-mode Authentication= secret-win2k Flags= Stayalive [ufqdn/user-win2k@inty.net] Address= 10.10.7.33 Netmask= 255.255.0.0 Nameserver= 993.99.99.99 Wins-server= somethineg else... ------------------------------------------- which i use for pgpnet.... the first two "users" are remote isakmpd gateways whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user ... pgpnet has an option "acquore virtual identity" which lets it get the ip,gq,ns and wins ips... there may be something similar for Sentinel. good luck! tariq -----Original Message----- From: Marco Walraven [mailto:walraven@fearlabs.com] Sent: 17 December 2001 17:37 To: Tariq Rashid Cc: freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > get the latest isakmpd to fix the cup problem. > in fact the nice people at openbsd have made the latest isakmpd sources > compile with no extra patches reqd for freebsd. Hey great, i'll try that. > how are you using sentinel? in aggressive mode? with identification by ip > address or ufqd or certs? In aggressive mode, 3DES, with pre shared authentication key. sentinel run's on laptops which connect to the internet from different locations. Are certs possible ? I read that there were some issues in the way sentinel handles x.509v3 certs and it's CN. ? Marco > tariq > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > Sent: 17 December 2001 17:10 > To: freebsd-security@freebsd.org > Subject: isakmpd & ssh sentinel > > > Hi, > > I'm trying to setup a VPN connection between isakmpd and a few road warriors > who run ssh sentinel. I installed isamkpd and tried some of the > configuration > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > messages(see below). It also chokes up the CPU. Furthermore, if I try > to connect from a ssh sentinel client, it does not accept a connection > which should be normal if this was indeed an error (which I think it is). > > The kernel I use has, IPSEC compiled in it and the system also forwards > packets, which are needed to run isakmpd. > > However, does anyone recognize these problems or know how to fix ehm and > has anyone successfully established a VPN(with pre shared keys) between > isakmpd > and ssh sentinel ? I know there are some issues between the two, but is > it possible in the first place, or should someone try racoon instead ?. > > Regards, > > Marco Walraven > > > isakmpd -d -DA=99 > <snip> > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > references > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > references > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > references > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > referen > ces > > Which keeps on going. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- | FearLabs | Unix Consultancy | info@fearlabs.com intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPENKFCCIIDAJKJJOLBHEEGICEAA.tariq>