Date: Tue, 18 Dec 2001 13:12:21 -0000 From: "Tariq Rashid" <tariq@inty.net> To: "Marco Walraven" <walraven@fearlabs.com> Cc: <freebsd-security@freebsd.org> Subject: RE: isakmpd & ssh sentinel Message-ID: <MPENKFCCIIDAJKJJOLBHEEGOCEAA.tariq@inty.net> In-Reply-To: <20011218130709.A80059@enigma.whacky.net>
next in thread | previous in thread | raw e-mail | index | archive | help
oops - the only other change i made is to add a file (isakmp_cfg.c) to a
source list in the makefile:
you error doesn't seem related though... give this a go and see if that
helps... if not get back to me/us!
------------------------------------------------------
***************
*** 66,72 ****
ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \
ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c
\
key.c libcrypto.c log.c message.c math_2n.c math_group.c \
! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c
GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \
isakmp_num.h
--- 66,72 ----
ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \
ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c
\
key.c libcrypto.c log.c message.c math_2n.c math_group.c \
! prf.c sa.c sysdep.c timer.c transport.c udp.c ui.c util.c
isakmp_cfg.c
GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \
isakmp_num.h
***************
-----------------------------------------------------
i also changed my bindir to /usr/local/sbin from /sbin... but that shouldn't
matter
tariq
-----Original Message-----
From: Marco Walraven [mailto:walraven@fearlabs.com]
Sent: 18 December 2001 12:07
To: Tariq Rashid
Cc: Marco Walraven; freebsd-security@freebsd.org
Subject: Re: isakmpd & ssh sentinel
I downloaded the isakmpd sources from ftp.openbsd.org (/pub/src/sbin/isakmp)
changed the Makefile (OS = freebsd) and added the CFLAGS options.
However, on both FreeBSD 4.3 and 4.4 I get this error message, when
starting my compile with make obj && make depend && make
In file included from
/usr/home/marco/test/isakmpd/sysdep/freebsd/sysdep.c:53:
/usr/home/marco/test/isakmpd/pf_key_v2.h:51: syntax error before `u_int8_t'
/usr/home/marco/test/isakmpd/pf_key_v2.h:51: warning: function declaration
isn't a prototype
*** Error code 1
Any ideas ?
On Tue, Dec 18, 2001 at 09:37:00AM -0000, Tariq Rashid wrote:
>
>
> add the following to the Makefile...
>
>
> # following by TR ...
> CFLAGS+= -DUSE_ISAKMP_CFG -DUSE_AGGRESSIVE
>
>
> this sets isakmpd to allow aggressive mode and also to send the config to
> the laptops
> (like a kind of dhcp where the isakmpd server tells the laptop its ip,
> gateway, nameserver, wins server etc...)
> ... have a look at:
>
> --------------------------------------------------------
>
> # aggressive users ...
>
> [user-b@inty.net]
> Phase= 1
> Transport= udp
> Configuration= Default-aggressive-mode
> Authentication= secret-B
> Flags= Stayalive
>
> [user-a@inty.net]
> Phase= 1
> Transport= udp
> Configuration= Default-aggressive-mode
> Authentication= secret-A
> Flags= Stayalive
>
> [user-win2k@inty.net]
> Phase= 1
> Transport= udp
> Configuration= Default-aggressive-mode
> Authentication= secret-win2k
> Flags= Stayalive
>
> [ufqdn/user-win2k@inty.net]
> Address= 10.10.7.33
> Netmask= 255.255.0.0
> Nameserver= 993.99.99.99
> Wins-server= somethineg else...
>
>
> -------------------------------------------
>
> which i use for pgpnet.... the first two "users" are remote isakmpd
gateways
> whicvh are on dynamic ips (dialup) ... the last user is a pgpnet laptop
user
> ... pgpnet has an option "acquore virtual identity" which lets it get the
> ip,gq,ns and wins ips... there may be something similar for Sentinel.
>
> good luck!
>
> tariq
>
> -----Original Message-----
> From: Marco Walraven [mailto:walraven@fearlabs.com]
> Sent: 17 December 2001 17:37
> To: Tariq Rashid
> Cc: freebsd-security@freebsd.org
> Subject: Re: isakmpd & ssh sentinel
>
>
> On Mon, Dec 17, 2001 at 05:18:34PM -0000, Tariq Rashid wrote:
> >
> > get the latest isakmpd to fix the cup problem.
> > in fact the nice people at openbsd have made the latest isakmpd sources
> > compile with no extra patches reqd for freebsd.
>
> Hey great, i'll try that.
>
> > how are you using sentinel? in aggressive mode? with identification by
ip
> > address or ufqd or certs?
>
> In aggressive mode, 3DES, with pre shared authentication key. sentinel
> run's on laptops which connect to the internet from different locations.
>
> Are certs possible ? I read that there were some issues in the way
sentinel
> handles x.509v3 certs and it's CN. ?
>
> Marco
>
> > tariq
> >
> > -----Original Message-----
> > From: owner-freebsd-security@FreeBSD.ORG
> > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marco Walraven
> > Sent: 17 December 2001 17:10
> > To: freebsd-security@freebsd.org
> > Subject: isakmpd & ssh sentinel
> >
> >
> > Hi,
> >
> > I'm trying to setup a VPN connection between isakmpd and a few road
> warriors
> > who run ssh sentinel. I installed isamkpd and tried some of the
> > configuration
> > files. Everytime I start isakmpd with 'isakmpd -d -DA=99' i get these
> > messages(see below). It also chokes up the CPU. Furthermore, if I try
> > to connect from a ssh sentinel client, it does not accept a connection
> > which should be normal if this was indeed an error (which I think it
is).
> >
> > The kernel I use has, IPSEC compiled in it and the system also forwards
> > packets, which are needed to run isakmpd.
> >
> > However, does anyone recognize these problems or know how to fix ehm and
> > has anyone successfully established a VPN(with pre shared keys) between
> > isakmpd
> > and ssh sentinel ? I know there are some issues between the two, but is
> > it possible in the first place, or should someone try racoon instead ?.
> >
> > Regards,
> >
> > Marco Walraven
> >
> >
> > isakmpd -d -DA=99
> > <snip>
> > 175249.982251 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1
> > 175249.982395 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1
> > 175249.982483 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1
> > 175249.982570 Trpt 70 transport_add: adding 0x8076080
> > 175249.988149 Trpt 90 transport_reference: transport 0x8076080 now has 1
> > references
> > 175249.988206 Misc 60 conf_get_str: [General]:Listen-on->192.168.2.1
> > 175250.015566 Trpt 90 transport_reference: transport 0x8076080 now has 2
> > references
> > 175250.016079 Trpt 90 transport_release: transport 0x8076080 had 2
> > references
> > 175250.016420 Trpt 90 transport_reference: transport 0x8076080 now has 2
> > referen
> > ces
> >
> > Which keeps on going.
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> > intY has automatically scanned this email with Sophos Anti-Virus
> > (www.inty.net)
> >
> >
> >
> > intY has automatically scanned this email with Sophos Anti-Virus
> (www.inty.net)
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> --
> | FearLabs | Unix Consultancy | info@fearlabs.com
>
> intY has automatically scanned this email with Sophos Anti-Virus
> (www.inty.net)
>
>
>
> intY has automatically scanned this email with Sophos Anti-Virus
(www.inty.net)
>
--
| FearLabs | Unix Consultancy | info@fearlabs.com
intY has automatically scanned this email with Sophos Anti-Virus
(www.inty.net)
intY has automatically scanned this email with Sophos Anti-Virus (www.inty.net)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MPENKFCCIIDAJKJJOLBHEEGOCEAA.tariq>