IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Symantec's Distinguished Name is a KEY_ID

From: Andreas Steffen (andreas.steffen_at_zhwin.ch)
Date: Wed Apr 03 2002 - 22:54:22 CEST

I was asked to have a look at the Symantec Firewall/VPN Appliance
Model 200R. Since I was interested in interoperability with
FreeS/WAN, preferably with X.509 certificates, I agreed to do it.

Symantec's little yellow box knows two types of IDs: IP addresses
and a type they call a Distinguished Name. This kindled a slight
hope that the box would support certificates. But I soon found
out that only preshared secrets are implemented and that the
distinguished name is a misnomer for an opaque KEY_ID. But since
the X.509 patch has built-in KEY_ID support (thanks to its origins
as a PGPnet patch developed by Kai Martius to support OpenPGP
certificates) I decided to post the setup to this list.

BTW - SonicWall also seems to be fond of KEY_IDs, so this might
help with that product, too.

My VPN topology is the following

160.85.106.252/30===160.85.139.240---160.85.20.100===160.85.22.0/24
                    freeswan-1.96 Symantec box
                        with
                   x509patch-0.9.9

First I set up the connection with IP addresses and preshared
secrets which was quite trivial

ipsec.conf:

conn symantec
        right=160.85.20.100
        rightsubnet=160.85.22.0/24
        left=160.85.139.240
        leftsubnet=160.85.106.252/30
        authby=secret
        auto=add

ipsec.secrets:

160.85.20.100 160.85.139.240 : PSK "u0h02kpTcAEjhWYBeQpi4D2MqescRo"

In a second step I changed the ID type of the Symantec side
to "Distinguished Name" and chose as "phase 1 ID" the ASCII string

  symantec

The FreeS/WAN side I left at IPV4_ADDRESS although it is possible to
specify a "phase 1 ID" string, too. X.509 enhanced FreeS/WAN allows
to specifiy a KEY_ID as a binary string in HEX format.

With the ASCII-to-HEX conversion

  echo "symantec" | od -t x1
  0000000 73 79 6d 61 6e 74 65 63 0a

I get the KEY_ID

  rightid=@#73796d616e746563

and the configuration modifies to

ipsec.conf:

conn symantec-dn
        right=160.85.20.100
        rightid=@#73796D616E746563
        rightsubnet=160.85.22.0/24
        left=160.85.139.240
        leftsubnet=160.85.106.252/30
        authby=secret
        auto=add

ipsec.secrets:

@#73796D616E746563 160.85.139.240 : PSK "u0h02kpTcAEjhWYBeQpi4D2MqescRo"

An excerpt from the log shows that this setup works:

"symantec-dn" #484: responding to Main Mode
"symantec-dn" #484: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM
"symantec-dn" #484: OAKLEY_DES_CBC is not supported. Attribute
OAKLEY_ENCRYPTION_ALGORITHM
"symantec-dn" #484: Peer ID is ID_KEY_ID: '0x73796D616E746563'
"symantec-dn" #484: sent MR3, ISAKMP SA established
"symantec-dn" #485: responding to Quick Mode
"symantec-dn" #485: IPsec SA established

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:48 CEST