Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] opportunistic encryption within a subnet

From: Britt Ethan Houser (britthouser_at_mail.com)
Date: Thu Mar 21 2002 - 13:21:34 CET

Next message: J.J.Gallardo: "Re: [Users] Hinter IPSec Gateway (FreeSWAN) unverschlüsselt weiter"
Previous message: JuanJo Ciarlante: "Re: [Users] ipsec_aes_fini redef"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey all,

I found someone asked this same question in january, but I never found a
reply. I have the same question. Our senerio is we are trying to
secure our wireless ad-host network (since WEP is broken) using IPSEC
and opportunistic encryption. We have setup the KEYs in the reverse DNS
map and verfied that works using a simple point to point connection. We
have tried to use this default opportunistic setup in the ipsec.conf
file:

conn me-to-anyone # for our client subnet
        left=%defaultroute # our SG (defaults leftnexthop too)
        right=%opportunistic # anyone we can authenticate via DNS
        keylife=1h
        rekey=no # let unused connections die

We did an 'ipsec auto --add me-to-anyone' followed by a 'ipsec auto
--route me-to-anyone'. Following is our 'ipsec whack --status':

000 interface ipsec0/eth0 192.168.1.111
000
000 "me-to-anyone": 192.168.1.111---192.168.1.1...%opportunistic
000 "me-to-anyone": ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "me-to-anyone": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC; interface: eth0; trap
erouted
000 "me-to-anyone": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000

It appears that this setup only tries to negotiate opportunistically
when our traffic goes through the default route (ie 192.168.1.1). All
traffic going to the subnet remains in the clear. If we change the
'left=%defaultroute' to left='192.168.1.111' then that removes
192.168.1.1 from the opportunistic path. However, when we try to auto
route or up this connection we get the following errors:

[root_at_atlanticcity root]# ipsec auto --route me-to-anyone
025 "me-to-anyone": cannot route connection without knowing nexthop
025 "me-to-anyone": could not route
[root_at_atlanticcity root]# ipsec auto --up me-to-anyone
029 "me-to-anyone": cannot initiate connection without knowing peer IP
address

Is this setup even possible? I hope so b/c this is for my senior design
project! Any hints or ideas would be greatly appreciated.

britt

-- I therefore, a prisoner for the Lord, beg you to lead a life worthy of the calling to which you have been called, with all lowliness and meekness, with patience, forbearing one another in love, eager to maintain the unity of the Spirit in the bond of peace. Eph 4:1-3

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: J.J.Gallardo: "Re: [Users] Hinter IPSec Gateway (FreeSWAN) unverschlüsselt weiter"
Previous message: JuanJo Ciarlante: "Re: [Users] ipsec_aes_fini redef"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:46 CEST