Date: Wed, 22 Mar 2000 15:57:18 -0800 From: Matthew Reimer <mreimer@vpop.net> To: "f.johan.beisser" <jan@caustic.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: pipsecd and KAME Message-ID: <38D95DDE.297DD6F6@vpop.net> References: <Pine.BSF.4.21.0002041234490.24496-100000@pogo.caustic.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Pipsecd does interoperate with KAME ipsec. I wrote a script to help generate the configuration files, though it doesn't generate the 'startup' file for pipsecd. Just edit conf.pl and run gen_ipsec_rules.pl. Matt "f.johan.beisser" wrote: > > thanks! > > this is just what i'm looking for.. > > pipsecd supports the following encryption algorythms: > blowfish_cbc, cast_cbc, des_cbc, des3_cbc, null > > KAME has these: > des-cbc, 3des-cbc, simple, blowfish-cbc, cast128-cbc > rc5-cbc, des-deriv, 3des-deriv > > each of these has certain key requirements, usually between 40 and 2048 > bits for the keys. > > from KAME (4.0-current), the setkey man pages gives the basic manual setup > of the ipsec keysets. > > other resources: > > http://www.kame.net/newsletter/19980626/ > > which seems to be the version of IPsec that 4.0 is using (vs the most > recent version of KAME). > > -- jan > > ERRATA: when i have this working, i'll post it to the list.. thanks for > your help so far. > > On Fri, 4 Feb 2000, Matthew Reimer wrote: > > > "f.johan.beisser" wrote: > > > > > > has anyone successfully run pipesecd and kame for IPsec tunneling? > > > > > > i'm kind of curious about this, i've got a freebsd 4.0 machine, and a > > > simple little -stable box taht i'd like to test this with.. > > > > > > any advice/help would be appreciated.. > > > > I'm trying to get this to work too. I haven't yet, but this indicates > > that it's possible: > > > > http://www.hsc.fr/ressources/presentations/ipsec99/ipsec99020.html > > > > Matt > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > +-----/ f. johan beisser /------------------------------+ > email: jan[at]caustic.org web: http://www.caustic.org/~jan > "knowledge is power. power corrupts. study hard, be evil." [-- Attachment #2 --] #!/usr/bin/perl # # Generates ipsec rules for setkey(8) or pipsecd. # # XXX More security could be added by using a different enc/auth key # for each host-host connection, rather than for each host. require 'conf.pl'; if (-e 'conf_save.pl') { require 'conf_save.pl' } # Make a hash of the SPIs currently in use. %spis_inuse = map { $_, undef } values %spi; # Start looking for new SPIs from this value. $spi = 1000; foreach $local (@names) { print "Generating $local.cf...\n"; open(CF, ">$local.cf") or die $!; print CF "#\n"; print CF "# Generated ", scalar localtime, ".\n"; print CF "#\n\n"; print CF "flush;\n"; print CF "spdflush;\n"; if (not defined $enc_key{$local}) { $enc_key{$local} = gen_random_bytes(24); # 3DES needs 24 bytes } if (not defined $auth_key{$local}) { $auth_key{$local} = gen_random_bytes(16); # MD5 needs 16 bytes } $n = 0; foreach $remote (@names) { next if ($local eq $remote); print " $local <--> $remote...\n"; if (not defined $enc_key{$remote}) { $enc_key{$remote} = gen_random_bytes(24); # 3DES needs 8 bytes } if (not defined $auth_key{$remote}) { $auth_key{$remote} = gen_random_bytes(16); # MD5 needs 16 bytes } if (not defined $spi{"$local-$remote"}) { $spi{"$local-$remote"} = new_SPI(); } if (not defined $spi{"$remote-$local"}) { $spi{"$remote-$local"} = new_SPI(); } $SPI_in = $spi{"$remote-$local"}; $SPI_out = $spi{"$local-$remote"}; if ($type{$local} eq 'kame-ipsec') { print CF <<"END"; # $local <--> $remote # Tunnel $network{$local} <--> $network{$remote} via secure gateways # $gateway{$local} <--> $gateway{$remote}. add $gateway{$local} $gateway{$remote} esp $SPI_out -m tunnel -E 3des-cbc $enc_key{$local} -A hmac-md5 $auth_key{$local} ; add $gateway{$remote} $gateway{$local} esp $SPI_in -m tunnel -E 3des-cbc $enc_key{$remote} -A hmac-md5 $auth_key{$remote} ; spdadd $gateway{$local} $gateway{$remote} any -P out ipsec esp/tunnel/$gateway{$local}-$gateway{$remote}/require ; spdadd $gateway{$remote} $gateway{$local} any -P in ipsec esp/tunnel/$gateway{$remote}-$gateway{$local}/require ; spdadd $network{$local} $network{$remote} any -P out ipsec esp/tunnel/$gateway{$local}-$gateway{$remote}/require ; spdadd $network{$remote} $network{$local} any -P in ipsec esp/tunnel/$gateway{$remote}-$gateway{$local}/require ; END } elsif ($type{$local} eq 'pipsecd') { print CF <<"END"; # $local <--> $remote using des3_cbc and md5 # Tunnel $network{$local} <--> $network{$remote} via secure gateways # $gateway{$local} <--> $gateway{$remote}. sa ipesp spi=$SPI_out enc=des3_cbc ekey=$enc_key{$local} auth=hmac-md5-96 akey=$auth_key{$local} dest=$gateway{$remote} sa ipesp spi=$SPI_in enc=des3_cbc ekey=$enc_key{$remote} auth=hmac-md5-96 akey=$auth_key{$remote} if /dev/tun$n local_spi=$SPI_in remote_spi=$SPI_out END $n++; } } close(CF); } # # Now save the SPIs, and encryption and authentication keys. # open(SAVE, ">conf_save.pl") or die $!; print SAVE "# This file is automatically generated! Your edits will be lost.\n"; print SAVE "\n"; print SAVE "%spi = (\n"; foreach (keys %spi) { print SAVE "\t\"$_\" => $spi{$_},\n" } print SAVE "\t);\n\n"; print SAVE "%enc_key = (\n"; foreach (@names) { print SAVE "\t$_ => \"$enc_key{$_}\",\n" } print SAVE "\t);\n\n"; print SAVE "%auth_key = (\n"; foreach (@names) { print SAVE "\t$_ => \"$auth_key{$_}\",\n" } print SAVE "\t);\n\n"; print SAVE "1;\n"; close(SAVE); exit; # -------------------------------------------------------------------------- # Creates a random key and returns it as a hex string. sub gen_random_bytes { my $n_bytes = shift; my $key; open(RND, "</dev/urandom") or die $!; read(RND, $key, $n_bytes); close(RND); return sprintf('0x' . ('%02x' x $n_bytes), unpack("C$n_bytes", $key)); } # -------------------------------------------------------------------------- # Returns a new unique SPI. sub new_SPI { while (exists $spis_inuse{$spi}) { $spi++ } $spis_inuse{$spi} = undef; return $spi; } [-- Attachment #3 --] # This is the config file for gen_ipsec_rules.pl. @names = qw(jan matt); %type = (jan => 'kame-ipsec', matt => 'pipsecd' ); %network = (jan => '1.2.3.0/28', matt => '4.5.6.8/29', ); %gateway = (jan => '1.2.3.1', matt => '4.5.6.9' ); 1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38D95DDE.297DD6F6>