Date: Tue, 18 Dec 2001 13:07:09 +0100 From: Marco Walraven <walraven@fearlabs.com> To: Tariq Rashid <tariq@inty.net> Cc: Marco Walraven <walraven@fearlabs.com>, freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel Message-ID: <20011218130709.A80059@enigma.whacky.net> In-Reply-To: <MPENKFCCIIDAJKJJOLBHEEGICEAA.tariq@inty.net>; from tariq@inty.net on Tue, Dec 18, 2001 at 09:37:00AM -0000 References: <20011217183701.B62958@enigma.whacky.net> <MPENKFCCIIDAJKJJOLBHEEGICEAA.tariq@inty.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I downloaded the isakmpd sources from ftp.openbsd.org (/pub/src/sbin/isakmp) changed the Makefile (OS = freebsd) and added the CFLAGS options. However, on both FreeBSD 4.3 and 4.4 I get this error message, when starting my compile with make obj && make depend && make In file included from /usr/home/marco/test/isakmpd/sysdep/freebsd/sysdep.c:53: /usr/home/marco/test/isakmpd/pf_key_v2.h:51: syntax error before `u_int8_t' /usr/home/marco/test/isakmpd/pf_key_v2.h:51: warning: function declaration isn't a prototype *** Error code 1 Any ideas ? On Tue, Dec 18, 2001 at 09:37:00AM -0000, Tariq Rashid wrote: > > > add the following to the Makefile... > > > # following by TR ... > CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE > > > this sets isakmpd to allow aggressive mode and also to send the config to > the laptops > (like a kind of dhcp where the isakmpd server tells the laptop its ip, > gateway, nameserver, wins server etc...) > ... have a look at: > > -------------------------------------------------------- > > # aggressive users ... > > [user-b@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-B > Flags= Stayalive > > [user-a@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-A > Flags= Stayalive > > [user-win2k@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-win2k > Flags= Stayalive > > [ufqdn/user-win2k@inty.net] > Address= 10.10.7.33 > Netmask= 255.255.0.0 > Nameserver= 993.99.99.99 > Wins-server= somethineg else... > > > ------------------------------------------- > > which i use for pgpnet.... the first two "users" are remote isakmpd gateways > whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user > ... pgpnet has an option "acquore virtual identity" which lets it get the > ip,gq,ns and wins ips... there may be something similar for Sentinel. > > good luck! > > tariq > > -----Original Message----- > From: Marco Walraven [mailto:walraven@fearlabs.com] > Sent: 17 December 2001 17:37 > To: Tariq Rashid > Cc: freebsd-security@freebsd.org > Subject: Re: isakmpd & ssh sentinel > > > On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > > > get the latest isakmpd to fix the cup problem. > > in fact the nice people at openbsd have made the latest isakmpd sources > > compile with no extra patches reqd for freebsd. > > Hey great, i'll try that. > > > how are you using sentinel? in aggressive mode? with identification by ip > > address or ufqd or certs? > > In aggressive mode, 3DES, with pre shared authentication key. sentinel > run's on laptops which connect to the internet from different locations. > > Are certs possible ? I read that there were some issues in the way sentinel > handles x.509v3 certs and it's CN. ? > > Marco > > > tariq > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > > Sent: 17 December 2001 17:10 > > To: freebsd-security@freebsd.org > > Subject: isakmpd & ssh sentinel > > > > > > Hi, > > > > I'm trying to setup a VPN connection between isakmpd and a few road > warriors > > who run ssh sentinel. I installed isamkpd and tried some of the > > configuration > > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > > messages(see below). It also chokes up the CPU. Furthermore, if I try > > to connect from a ssh sentinel client, it does not accept a connection > > which should be normal if this was indeed an error (which I think it is). > > > > The kernel I use has, IPSEC compiled in it and the system also forwards > > packets, which are needed to run isakmpd. > > > > However, does anyone recognize these problems or know how to fix ehm and > > has anyone successfully established a VPN(with pre shared keys) between > > isakmpd > > and ssh sentinel ? I know there are some issues between the two, but is > > it possible in the first place, or should someone try racoon instead ?. > > > > Regards, > > > > Marco Walraven > > > > > > isakmpd -d -DA=99 > > <snip> > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > > references > > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > references > > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > > references > > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > referen > > ces > > > > Which keeps on going. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > intY has automatically scanned this email with Sophos Anti-Virus > > (www.inty.net) > > > > > > > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > | FearLabs | Unix Consultancy | info@fearlabs.com > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > -- | FearLabs | Unix Consultancy | info@fearlabs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011218130709.A80059>