|
|
Subject: Re: Netgear FVS318 VPN connect to OpenBSD Router -
msg#00002
As far as the /etc/isakmpd/crls/ directory goes, you just have to create it.
I'll let someone else comment on the "giving up on message..." error.
En réponse à "ted jordan, jordanteam" <ted@xxxxxxxxxxxxxx>:
> I am trying to connect from a PC with Windows 98 thru a Netgear
> FVS318 router via VPN to a router running OpenBSD 3.2 with
> Windows 98 PCs connected within its network.
>
> 192.168.123.X-Netgear-22.33.44.55- - -99.88.77.66-OpenBSD-196.168.0.X
>
> Now, the goal is to eventually have the home behind a DHCP
> connections, but it has been so difficult to set this up that I'm
> taking it in stages. I've turned off the pfilter rules on the
> OpenBSD, and I'm attempting the connection assuming that home
> is static (22.33.44.55). Advice on going dynamic would be
> welcome. OpenBSD has a static address.
>
> On the Netgear, I am using these settings
>
> Connection Name: Home_to_Office
> Local IPSec Identifier: Home
> Remote IPSec Identifier: Office
> Remote IP Network: 196.168.0.0
> Remote IP Subnet Mask: 255.255.255.0
> Remote Gateway IP: 99.88.77.66
>
> Secure Assn: IKE
> Perfect Forward Secrecy: 3DES
> PreShared Key: abcd1234
> Key Life: 3600
> IKE Life Time: 28800
>
>
> On the OpenBSD router, I have these settings for isakmpd, and then I
> start
> /sbin/isakmpd
>
>
> openbsd# cat isakmpd.policy
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> Authorizer: "POLICY"
> Licensees: "passphrase:abcd1234"
> Conditions: app_domain == "IPsec policy" &&
> esp_present == "yes" &&
> esp_enc_alg != "null" -> "true";
>
>
> openbsd# cat isakmpd.conf
> # $OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
> # $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
>
> # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
> daemon.
> #
> # The network topology of the example net is like this:
> #
> [General]
> Policy-File= /etc/isakmpd/isakmpd.policy
> Retransmits= 5
> Exchange-max-time= 120
> Listen-on= 99.88.77.66
>
> [Phase 1]
> 22.33.44.55= ISAKMP-peer-west
>
> [Phase 2]
> Connections= IPsec-east-west
>
> [ISAKMP-peer-west]
> Phase= 1
> Transport= udp
> Local_address= 99.88.77.66
> Address= 22.33.44.55
> Configuration= Default-main-mode
> Authentication= abcd1234
>
> [IPsec-east-west]
> Phase= 2
> ISAKMP-peer= ISAKMP-peer-west
> Configuration= Default-quick-mode
> Local-ID= Net-east
> Remote-ID= Net-west
>
> [Net-west]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.123.0
> Netmask= 255.255.255.0
>
> [Net-east]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.0.0
> Netmask= 255.255.255.0
>
> [Default-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-SHA
>
> [Default-quick-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> Suites=
> QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
>
> --- end of file ---
>
> Then I run isakmpd, and get these errors:
>
> openbsd# isakmpd
> 073132.444146 Default x509_read_crls_from_dir: opendir
> ("/etc/isakmpd/crls/") fa
> iled: No such file or directory
> 073132.444686 Default x509_crl_init: x509_read_from_dir failed
>
> and then after about a minute or two, I get this error every two
> minutes.
> Feb 21 07:32:27 etrac isakmpd[20701]: transport_send_messages: giving
>
> up on mes
> sage 0x114800
>
> Any ideas on what it would take to get this running like I want
> right now (i.e. static-to-static)? And once this gets working, what
> will it take to go dynamic-to-static inside of isakmpd.conf and
> isakmpd.policy?
>
> thanx
> ted jordan
>
>
> --
> ted jordan, principal
> JordanTeam Computing LLC
> On-Demand Computing for Independent Business Professionals
>
> ted@xxxxxxxxxxxxxx
> 734 673 7426 p
> 216 767 1393 p
> 419 791 9678 f
> http://jordanteam.com
Thread at a glance:
Previous Message by Date:
Differences between OpenBSD and FreeBSD -V option in make
While working on a portupgrade-like utility for OpenBSD, I've noticed that
FreeBSD's make and OpenBSD's make treat the -V option differently.
FreeBSD-make recursively evaluates the variable(s) provided, while OpenBSD-make
does not. This variable expansion is a feature I need for the portupgrade
utility.
Example Makefile...
DISTNAME= Atlas-C++-${VERSION}
PKGNAME= ${DISTNAME:S/C++-//:L}
# make -V PKGNAME
FreeBSD-make returns 'atlas-0.4.3.1'
OpenBSD-make returns '${DISTNAME:S/C++//:L}'
I've created a patch for make which mimics the FreeBSD expansion
with the same option (-X) to disable expansion.
Is this feature currently missing because it *should* be missing?
The patch may be found at either of the two following links.
As I'm new to this, comments would be greatly appreciated.
http://ra.dweebsoft.com/make.patch (raw - no html)
or
http://ra.dweebsoft.com/make.patch.html
--daxbert
Next Message by Date:
Re: Sentinel_SSH VPN client and Certs
On Fri, 28 Feb 2003, Infra wrote:
...
> 124805.916159 Negt 40 ike_phase_1_recv_ID: USER_FQDN:
> 124805.917337 Negt 40 6c617074 6f703240 63796265 72746865 7175652e 6e6574
> 124805.918905 Cryp 70 x509_hash_find: no certificate matched query
> 124805.936671 Misc 95 conf_get_str: configuration value not found
> [X509-certificates]:Accept-self-signed
> 124805.937601 Default x509_cert_validate: unable to get local issuer
> certificate
> 124805.941124 Default rsa_sig_decode_hash: received CERT can't
> be validated
Looks like you have not installed the (correct) CA cert (Issuer: C=US,
ST=MN, L=Duluth, O=Cybertheque, CN=nat1.cybertheque.net/emailAddress=
root@xxxxxxxxxxxxxxxxxxxx), so this one cannot be verified/trusted.
Hint; does 'openssl verify -CAfile <path>/ca.crt <path>/some_cert.crt'
work? (some_cert.crt is the above one, ca.crt is the CA cert that's
supposed to validate it).
> 124805.942030 Misc 95 conf_get_str: configuration value not found
> [General]:Pubkey-directory
> 124805.955928 Negt 50 get_raw_key_from_file: file
> /etc/isakmpd/pubkeys/ufqdn/laptop2@xxxxxxxxxxxxxxx not found
This isa isakmpd trying to find a trusted public key by other methods.
> 124805.956876 Default rsa_sig_decode_hash: no public key found
> 124805.957946 Default dropped message from 172.16.5.18 port 500 due to
> notification type INVALID_ID_INFORMATION
But no key is found, so it fails and reports this back to the other beer.
/H
--
Håkan Olsson <ho@xxxxxx> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB
Previous Message by Thread:
Differences between OpenBSD and FreeBSD -V option in make
While working on a portupgrade-like utility for OpenBSD, I've noticed that
FreeBSD's make and OpenBSD's make treat the -V option differently.
FreeBSD-make recursively evaluates the variable(s) provided, while OpenBSD-make
does not. This variable expansion is a feature I need for the portupgrade
utility.
Example Makefile...
DISTNAME= Atlas-C++-${VERSION}
PKGNAME= ${DISTNAME:S/C++-//:L}
# make -V PKGNAME
FreeBSD-make returns 'atlas-0.4.3.1'
OpenBSD-make returns '${DISTNAME:S/C++//:L}'
I've created a patch for make which mimics the FreeBSD expansion
with the same option (-X) to disable expansion.
Is this feature currently missing because it *should* be missing?
The patch may be found at either of the two following links.
As I'm new to this, comments would be greatly appreciated.
http://ra.dweebsoft.com/make.patch (raw - no html)
or
http://ra.dweebsoft.com/make.patch.html
--daxbert
Next Message by Thread:
Re: Netgear FVS318 VPN connect to OpenBSD Router
I would check the shared secret first eg, retype it in the config and then try
getting
rid of any white space around it. Then try doing MD5, eg. change the
default-quickmode line
to look like this
QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
And maybe even the default-mainmode to something like this.
Transforms= 3DES-SHA,3DES-MD5
If that fails run isakmpd with the -d -D9=99 flag, and then maybe even -d
-DA=99 (the later
will produce a lot of output.)
Also have you looked at this website?
http://ruff.cs.jmu.edu/~beetle/download/befvp41.html
Just a thought, maybe there's something that I've missed.
On Fri, Feb 21, 2003 at 11:35:09AM -0700, Sébastien Taylor had written:
> As far as the /etc/isakmpd/crls/ directory goes, you just have to create it.
> I'll let someone else comment on the "giving up on message..." error.
>
>
> En réponse à "ted jordan, jordanteam" <ted@xxxxxxxxxxxxxx>:
>
> > I am trying to connect from a PC with Windows 98 thru a Netgear
> > FVS318 router via VPN to a router running OpenBSD 3.2 with
> > Windows 98 PCs connected within its network.
> >
> > 192.168.123.X-Netgear-22.33.44.55- - -99.88.77.66-OpenBSD-196.168.0.X
> >
> > Now, the goal is to eventually have the home behind a DHCP
> > connections, but it has been so difficult to set this up that I'm
> > taking it in stages. I've turned off the pfilter rules on the
> > OpenBSD, and I'm attempting the connection assuming that home
> > is static (22.33.44.55). Advice on going dynamic would be
> > welcome. OpenBSD has a static address.
> >
> > On the Netgear, I am using these settings
> >
> > Connection Name: Home_to_Office
> > Local IPSec Identifier: Home
> > Remote IPSec Identifier: Office
> > Remote IP Network: 196.168.0.0
> > Remote IP Subnet Mask: 255.255.255.0
> > Remote Gateway IP: 99.88.77.66
> >
> > Secure Assn: IKE
> > Perfect Forward Secrecy: 3DES
> > PreShared Key: abcd1234
> > Key Life: 3600
> > IKE Life Time: 28800
> >
> >
> > On the OpenBSD router, I have these settings for isakmpd, and then I
> > start
> > /sbin/isakmpd
> >
> >
> > openbsd# cat isakmpd.policy
> > KeyNote-Version: 2
> > Comment: This policy accepts ESP SAs from a remote that uses the right
> > password
> > Authorizer: "POLICY"
> > Licensees: "passphrase:abcd1234"
> > Conditions: app_domain == "IPsec policy" &&
> > esp_present == "yes" &&
> > esp_enc_alg != "null" -> "true";
> >
> >
> > openbsd# cat isakmpd.conf
> > # $OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
> > # $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
> >
> > # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
> > daemon.
> > #
> > # The network topology of the example net is like this:
> > #
> > [General]
> > Policy-File= /etc/isakmpd/isakmpd.policy
> > Retransmits= 5
> > Exchange-max-time= 120
> > Listen-on= 99.88.77.66
> >
> > [Phase 1]
> > 22.33.44.55= ISAKMP-peer-west
> >
> > [Phase 2]
> > Connections= IPsec-east-west
> >
> > [ISAKMP-peer-west]
> > Phase= 1
> > Transport= udp
> > Local_address= 99.88.77.66
> > Address= 22.33.44.55
> > Configuration= Default-main-mode
> > Authentication= abcd1234
> >
> > [IPsec-east-west]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-west
> > Configuration= Default-quick-mode
> > Local-ID= Net-east
> > Remote-ID= Net-west
> >
> > [Net-west]
> > ID-type= IPV4_ADDR_SUBNET
> > Network= 192.168.123.0
> > Netmask= 255.255.255.0
> >
> > [Net-east]
> > ID-type= IPV4_ADDR_SUBNET
> > Network= 192.168.0.0
> > Netmask= 255.255.255.0
> >
> > [Default-main-mode]
> > DOI= IPSEC
> > EXCHANGE_TYPE= ID_PROT
> > Transforms= 3DES-SHA
> >
> > [Default-quick-mode]
> > DOI= IPSEC
> > EXCHANGE_TYPE= QUICK_MODE
> > Suites=
> > QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
> >
> > --- end of file ---
> >
> > Then I run isakmpd, and get these errors:
> >
> > openbsd# isakmpd
> > 073132.444146 Default x509_read_crls_from_dir: opendir
> > ("/etc/isakmpd/crls/") fa
> > iled: No such file or directory
> > 073132.444686 Default x509_crl_init: x509_read_from_dir failed
> >
> > and then after about a minute or two, I get this error every two
> > minutes.
> > Feb 21 07:32:27 etrac isakmpd[20701]: transport_send_messages: giving
> >
> > up on mes
> > sage 0x114800
> >
> > Any ideas on what it would take to get this running like I want
> > right now (i.e. static-to-static)? And once this gets working, what
> > will it take to go dynamic-to-static inside of isakmpd.conf and
> > isakmpd.policy?
> >
> > thanx
> > ted jordan
> >
> >
> > --
> > ted jordan, principal
> > JordanTeam Computing LLC
> > On-Demand Computing for Independent Business Professionals
> >
> > ted@xxxxxxxxxxxxxx
> > 734 673 7426 p
> > 216 767 1393 p
> > 419 791 9678 f
> > http://jordanteam.com
--
David Bryan
Dr. Strangelove Networking
Peace can only come as a natural consequence of universal
enlightenment...
-Nikola Tesla, "My Inventions: the autobiography of Nikola Tesla"
|
|