Date: Tue, 18 Dec 2001 13:12:21 -0000 From: "Tariq Rashid" <tariq@inty.net> To: "Marco Walraven" <walraven@fearlabs.com> Cc: <freebsd-security@freebsd.org> Subject: RE: isakmpd & ssh sentinel Message-ID: <MPENKFCCIIDAJKJJOLBHEEGOCEAA.tariq@inty.net> In-Reply-To: <20011218130709.A80059@enigma.whacky.net>
next in thread | previous in thread | raw e-mail | index | archive | help
oops - the only other change i made is to add a file (isakmp_cfg.c) to a source list in the makefile: you error doesn't seem related though... give this a go and see if that helps... if not get back to me/us! ------------------------------------------------------ *************** *** 66,72 **** ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \ ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c \ key.c libcrypto.c log.c message.c math_2n.c math_group.c \ ! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ isakmp_num.h --- 66,72 ---- ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \ ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c \ key.c libcrypto.c log.c message.c math_2n.c math_group.c \ ! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c isakmp_cfg.c GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ isakmp_num.h *************** ----------------------------------------------------- i also changed my bindir to /usr/local/sbin from /sbin... but that shouldn't matter tariq -----Original Message----- From: Marco Walraven [mailto:walraven@fearlabs.com] Sent: 18 December 2001 12:07 To: Tariq Rashid Cc: Marco Walraven; freebsd-security@freebsd.org Subject: Re: isakmpd & ssh sentinel I downloaded the isakmpd sources from ftp.openbsd.org (/pub/src/sbin/isakmp) changed the Makefile (OS = freebsd) and added the CFLAGS options. However, on both FreeBSD 4.3 and 4.4 I get this error message, when starting my compile with make obj && make depend && make In file included from /usr/home/marco/test/isakmpd/sysdep/freebsd/sysdep.c:53: /usr/home/marco/test/isakmpd/pf_key_v2.h:51: syntax error before `u_int8_t' /usr/home/marco/test/isakmpd/pf_key_v2.h:51: warning: function declaration isn't a prototype *** Error code 1 Any ideas ? On Tue, Dec 18, 2001 at 09:37:00AM -0000, Tariq Rashid wrote: > > > add the following to the Makefile... > > > # following by TR ... > CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE > > > this sets isakmpd to allow aggressive mode and also to send the config to > the laptops > (like a kind of dhcp where the isakmpd server tells the laptop its ip, > gateway, nameserver, wins server etc...) > ... have a look at: > > -------------------------------------------------------- > > # aggressive users ... > > [user-b@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-B > Flags= Stayalive > > [user-a@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-A > Flags= Stayalive > > [user-win2k@inty.net] > Phase= 1 > Transport= udp > Configuration= Default-aggressive-mode > Authentication= secret-win2k > Flags= Stayalive > > [ufqdn/user-win2k@inty.net] > Address= 10.10.7.33 > Netmask= 255.255.0.0 > Nameserver= 993.99.99.99 > Wins-server= somethineg else... > > > ------------------------------------------- > > which i use for pgpnet.... the first two "users" are remote isakmpd gateways > whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop user > ... pgpnet has an option "acquore virtual identity" which lets it get the > ip,gq,ns and wins ips... there may be something similar for Sentinel. > > good luck! > > tariq > > -----Original Message----- > From: Marco Walraven [mailto:walraven@fearlabs.com] > Sent: 17 December 2001 17:37 > To: Tariq Rashid > Cc: freebsd-security@freebsd.org > Subject: Re: isakmpd & ssh sentinel > > > On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote: > > > > get the latest isakmpd to fix the cup problem. > > in fact the nice people at openbsd have made the latest isakmpd sources > > compile with no extra patches reqd for freebsd. > > Hey great, i'll try that. > > > how are you using sentinel? in aggressive mode? with identification by ip > > address or ufqd or certs? > > In aggressive mode, 3DES, with pre shared authentication key. sentinel > run's on laptops which connect to the internet from different locations. > > Are certs possible ? I read that there were some issues in the way sentinel > handles x.509v3 certs and it's CN. ? > > Marco > > > tariq > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven > > Sent: 17 December 2001 17:10 > > To: freebsd-security@freebsd.org > > Subject: isakmpd & ssh sentinel > > > > > > Hi, > > > > I'm trying to setup a VPN connection between isakmpd and a few road > warriors > > who run ssh sentinel. I installed isamkpd and tried some of the > > configuration > > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these > > messages(see below). It also chokes up the CPU. Furthermore, if I try > > to connect from a ssh sentinel client, it does not accept a connection > > which should be normal if this was indeed an error (which I think it is). > > > > The kernel I use has, IPSEC compiled in it and the system also forwards > > packets, which are needed to run isakmpd. > > > > However, does anyone recognize these problems or know how to fix ehm and > > has anyone successfully established a VPN(with pre shared keys) between > > isakmpd > > and ssh sentinel ? I know there are some issues between the two, but is > > it possible in the first place, or should someone try racoon instead ?. > > > > Regards, > > > > Marco Walraven > > > > > > isakmpd -d -DA=99 > > <snip> > > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175249.982570 Trpt 70 transport_add: adding 0x8076080 > > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1 > > references > > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1 > > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > references > > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2 > > references > > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2 > > referen > > ces > > > > Which keeps on going. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > intY has automatically scanned this email with Sophos Anti-Virus > > (www.inty.net) > > > > > > > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > | FearLabs | Unix Consultancy | info@fearlabs.com > > intY has automatically scanned this email with Sophos Anti-Virus > (www.inty.net) > > > > intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) > -- | FearLabs | Unix Consultancy | info@fearlabs.com intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPENKFCCIIDAJKJJOLBHEEGOCEAA.tariq>