| View previous topic :: View next topic |
| Author |
Message |
poot
n00b
Joined: 10 Aug 2003
Posts: 5
|
 Posted: Thu Dec 18, 2003 7:52 pm Post subject: 2.6.0, IPSec, Bluesocket Sonicwall |
 |
|
I've been trying for a few days to get my 2.6.0 box to log on to my office's Sonicwall VPN Server. I've got all the right modules compiled and loaded. Here's the configuration information for the sonicwall:
Encryption: 3DES or 192 bit AES
Hashing Algorithm: SHA1 or MD5
Diffie-Hellman Group: Group 2 (1024 bit)
Compression: LZS or Deflate
Perfect Forward Secrecy (PFS): Disabled
Pre-Shared Key: allow
Server IP address: 192.168.64.1
IKE Mode: Main mode only
Since I'm running 2.6.0, I'd like to use the crypto api and all the IPSec goodies that come with the kernel. I suppose this means I'm using the "KAME" tools. Everything's peachy but the configuration. Here's what I've got so far:
racoon.conf
| Code: | pootlaptop racoon # cat racoon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
#exchange_mode aggressive,main;
exchange_mode main;
#doi ipsec_doi;
#situation identity_only;
# my_identifier user_fqdn "sakane@kame.net";
# peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
# nonce_size 16;
# lifetime time 1 min; # sec,min,hour
#
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key ;
# dh_group 2 ;
# }
#}
sainfo anonymous
{
pfs_group 2;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
#sainfo address 203.178.141.209 any address 203.178.141.218 any
#{
# pfs_group 1;
# lifetime time 30 sec;
# encryption_algorithm des ;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate ;
#}
#sainfo address ::1 icmp6 address ::1 icmp6
#{
# pfs_group 1;
# lifetime time 60 sec;
# encryption_algorithm 3des, cast128, blowfish 448, des ;
# authentication_algorithm hmac_sha1, hmac_md5 ;
# compression_algorithm deflate ;
#}
|
psk.txt
| Code: |
pootlaptop racoon # cat psk.txt
# IPv4/v6 addresses
192.168.64.1 allow
#10.160.94.3 mekmitasdigoat
#172.16.1.133 mekmitasdigoat
#194.100.55.1 whatcertificatereally
#203.178.141.208 mekmitasdigoat
#206.175.160.18 mekmitasdigoat
#206.175.160.20 mekmitasdigoat
#206.175.160.21 mekmitasdigoat
#206.175.160.22 mekmitasdigoat
#206.175.160.23 mekmitasdigoat
#206.175.160.36 mekmitasdigoat
#206.175.161.125 mekmitasdigoat
#206.175.161.154 mekmitasdigoat
#206.175.161.156 mekmitasdigoat
#206.175.161.182 mekmitasdigoat
#3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
#3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
# USER_FQDN
#sakane@kame.net mekmitasdigoat
# FQDN
#kame hoge
|
ipsec.conf
| Code: | pootlaptop etc # cat ipsec.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
#spdadd xxx.xxx.xxx.xxx/32 0.0.0.0/0 any
# -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
#
#spdadd 0.0.0.0/0 xxx.xxx.xxx.xxx/32 any
# -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
|
For posterity, an lsmod
| Code: |
pootlaptop etc # lsmod
Module Size Used by
e100 62596 0
ipv6 248160 10
twofish 42368 0
tcrypt 62092 0 [permanent]
sha512 9984 0
sha256 10368 0
sha1 8576 0
serpent 12928 0
md5 4096 0
md4 3712 0
des 11648 0
deflate 4096 0
zlib_deflate 21912 1 deflate
zlib_inflate 22272 1 deflate
cast6 21120 0
cast5 16000 0
blowfish 9728 0
aes 33088 0
xfrm_user 15364 0
driverloader 147752 0
ipip 11236 0
ipcomp 8064 0
esp4 10752 0
ah4 8192 0
af_key 33284 2
snd_intel8x0 31812 0
snd_ac97_codec 54020 1 snd_intel8x0
snd_mpu401_uart 7808 1 snd_intel8x0
snd_rawmidi 25088 1 snd_mpu401_uart
snd_seq_device 8324 1 snd_rawmidi
snd_pcm_oss 52356 0
snd_pcm 97792 2 snd_intel8x0,snd_pcm_oss
snd_page_alloc 11908 2 snd_intel8x0,snd_pcm
snd_timer 25856 1 snd_pcm
snd_mixer_oss 19200 1 snd_pcm_oss
snd 50692 9 snd_intel8x0,snd_ac97_codec,snd_mpu401_uart,snd_rawmidi,snd_seq_device,snd_pcm_oss,snd_pcm,snd_timer,snd_mixer_oss
rtc 13096 0
speedstep_centrino 4996 0
freq_table 4484 1 speedstep_centrino
radeon 119448 24
cpufreq_userspace 6052 2
cpufreq_powersave 1920 0
sr_mod 15776 0
cdrom 34720 1 sr_mod
|
Here's the output from racoon:
| Code: |
pootlaptop etc # racoon -d -v -F -f /etc/racoon/racoon.conf
Foreground mode.
2003-12-18 14:54:48: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 sakane@kame.net
2003-12-18 14:54:48: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.6j 10 Apr 2003 (http://www.openssl.org/)
2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for AH
2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for ESP
2003-12-18 14:54:48: DEBUG: pfkey.c:370:pfkey_init(): call pfkey_send_register for IPCOMP
2003-12-18 14:54:48: DEBUG: pfkey.c:2246:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 127.0.0.1 (lo)
2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.64.89 (eth0)
2003-12-18 14:54:48: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.227.171 (eth1)
2003-12-18 14:54:48: DEBUG: grabmyaddr.c:676:autoconf_myaddrsport(): configuring default isakmp port.
2003-12-18 14:54:48: DEBUG: grabmyaddr.c:698:autoconf_myaddrsport(): 3 addrs are configured successfully
2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 192.168.227.171[500] used as isakmp port (fd=6)
2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 192.168.64.89[500] used as isakmp port (fd=7)
2003-12-18 14:54:48: INFO: isakmp.c:1362:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=8)
2003-12-18 14:54:48: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message
2003-12-18 14:54:48: DEBUG: pfkey.c:209:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory
|
I know I'm going to need to change ipsec.conf, but I'm not sure what the settings are that I'd have to change. Is anyone experienced enough to handle this? What other information should I provide? I apologize for not giving more information, but apparently I've become totally clueless from freeswan with 2.4 to kame and 2.6. |
|
| Back to top |
|
 |
Krigg
n00b
Joined: 22 Apr 2003
Posts: 59
Location: Out There
|
| Posted: Wed Dec 24, 2003 12:06 pm Post subject: |
|
|
I'm also at odds with the 2.6 kernel and IPsec, I can't seem to get it working...and I almost had it working with the 2.4 kernel....now I can't seem to get it up and running.....freeswan keeps telling me that this isn't an IPsec enabled Kernel, yet in the Networking Options, I compiled the ONLY IPsec option I found directly into the kernel. Should I have left it a module?
JR
_________________
Have gun, will carry! |
|
| Back to top |
|
|
Krigg
n00b
Joined: 22 Apr 2003
Posts: 59
Location: Out There
|
| Posted: Wed Dec 31, 2003 8:48 am Post subject: |
|
|
No one knows which iteration of the 2.6 kernel has IPSec built in? Because I'm running the 2.6.0 right now, and can't get freeswan to download...it says;
| Code: |
Bleeding_Edge freeswan # emerge freeswan-2.04.ebuild
/usr/portage/packages
Calculating dependencies ...done!
>>> emerge (1 of 1) net-misc/freeswan-2.04 to /
>>> md5 src_uri ;-) freeswan-2.04.tar.gz
>>> md5 src_uri ;-) x509-1.4.8-freeswan-2.04.tar.gz
You need to have the crypto-enabled version of Gentoo Sources
with a symlink to it in /usr/src/linux in order to have IPSec
kernel compatibility.
|
and this is my uname -a specs;
| Code: |
Linux Bleeding_Edge 2.6.0 #3 SMP Wed Dec 24 20:03:21 CST 2003 i686 AMD Athlon(tm) MP 1800+ AuthenticAMD GNU/Linux
|
And everything I've read says that IPsec should be working if I use this kernel....but it's not....anyhoo, I'm gonna start experimentin....
JR
_________________
Have gun, will carry! |
|
| Back to top |
|
|
CHerzog
Tux's lil' helper
Joined: 13 Jul 2002
Posts: 108
Location: Germany
|
| Posted: Fri Jan 02, 2004 10:23 am Post subject: |
|
|
| Krigg wrote: | | Code: |
>>> emerge (1 of 1) net-misc/freeswan-2.04 to /
|
| Code: |
Linux Bleeding_Edge 2.6.0
|
|
You have to use the ipsectools, not Freeswan! Freeswan is for Kernel 2.4 only. You can download a patch for using 2.6, but then no other patch will work.
Use the Tools from the KAME-Project!
http://www.ipsec-howto.org/x237.html
Bye
Christian |
|
| Back to top |
|
|
_dan_
n00b
Joined: 20 Jan 2004
Posts: 19
Location: Aylesbury
|
| Posted: Tue Jan 27, 2004 5:35 pm Post subject: news? |
|
|
any news on this topic?
i need a vpn-client for the sonicwall too, but i've never done something with vpn or ipsec before and need some help on this topic.
would be cool if we could get it to work and write a smal tutorial, i haven't found anything on the web for this and i think it's quite usefull.
_________________
cd /pub
more beer |
|
| Back to top |
|
|
Aurora
l33t
Joined: 26 Sep 2003
Posts: 658
Location: Classified
|
| Posted: Sat Jan 31, 2004 9:12 pm Post subject: |
|
|
I'm in the process of just trying to plain get my gentoo server box to act as an IPsec server. This is definately challenging... Seems this is quite "un-user friendly." Then again if I didn't want a challenge I wouldn't have installed gentoo. 
We'll see what happens...I am intent on writing a tutoral if I can finally get the thing to work...
*sigh*  Here I go. 
_________________
"My downfall raises me to infinite heights." -Napoleon Bonaparte |
|
| Back to top |
|
|
_dan_
n00b
Joined: 20 Jan 2004
Posts: 19
Location: Aylesbury
|
| Posted: Fri Mar 19, 2004 9:37 am Post subject: |
|
|
hm, where still not able to get ipsec with the sonicwall working 
but there is new hope, a guy from switzerland has a new project which is based on the old freeSwan. He wants to make it easier to configure, hopefully he will be successfull.
http://www.strongswan.org/
If anyone trie's it and get it to work i would be pleased to get a bit help,
thx
have fun
_________________
cd /pub
more beer |
|
| Back to top |
|
|
Wilko
n00b
Joined: 11 Jun 2004
Posts: 35
Location: Calgary (Chillin with Jerome.) Ab, Canada.
|
| Posted: Wed May 18, 2005 6:12 pm Post subject: |
|
|
I've been toying around with IPSec and I've found your next step, so to speak (although mine isn't working yet, I think in time it might)
I was getting the
2003-12-18 14:54:48: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message
2003-12-18 14:54:48: DEBUG: pfkey.c:209:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or
error, but I fixed it by doing the following:
Edit these lines:
#spdadd xxx.xxx.xxx.xxx/32 0.0.0.0/0 any
# -P out ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
#
#spdadd 0.0.0.0/0 xxx.xxx.xxx.xxx/32 any
# -P in ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
1. Remove the comments (for starters)
2. Configure! the xxx.xxx.xxx.xxx/32 are IPs that are on your end. In my case I just put my own computers IP address 192.168.99.111/32. I've seen configurations were they just put localhost, but I'll save that 'optimization' for when it works.
3. Configure the 0.0.0.0/0. Currently that mask will make everything that you send go to through the tunnel, which might be what you wanted. I only wanted things going to the internal work network (192.168.160.0/24) to go through the tunnel, so thats what I put in place of both 0.0.0.0/0's.
4. On the tunnel lines, the xxx.xxx.xxx.xxx's are the same as the ones in step 2.
5. On the tunnel lines, the yyy.yyy.yyy.yyy is the IP of the other end of the VPN gateway. This won't be a 192.XXX.XXX.XXX address, this will be something else (I was given a groupvpn configuration file, that I think sonic wall generated, it was XML and seemed to have the address in it, under the tag HostName).
6. Now if you look at the first line of the ipsec.conf file, you'll notice its supposedly executable. So I chmod +x'ed it, ran it, and now things sort of work. racoon starts, and when I ping destinations inside the VPN, racoon acknoledges the effort, but I haven't properly configured things, because it still doesn't work.
Its a start however.
_________________
Signature:
This is a block of text that can be added to posts you make. There is a 255 character limit |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
