On Monday 22 April 2002 08:29, Leonardo Rodrigues Magalhães wrote:
> 1) After successfully compiled and installed FreeSWAN, I've configured
> them. In my case, I'm using preshared secrets to build an IPSEC tunnel
> between two machines. No matter what I tried, I always get this error on
> messages file:
>
> Apr 22 09:22:34 firewall ipsec__plutorun: 104 "teste" #1: STATE_MAIN_I1:
> initiate
> Apr 22 09:22:34 firewall ipsec__plutorun: ...could not start conn "teste"
>
> The strangest is that IPSEC tunnel IS working. If i tcpdump traffic on
> eth0, I can see only ESP packets and real traffic is going in ipsec0.
>
> Question: should I matter with this error ? Is it possible to fix it ?
> I've noticed that Freeswan 1.97 is out ... I'm doing this tests with
> 1.96/kernel 2.4.18. Upgrading would help ?
I'm running with 1.96 and 2.4.16, and things looks good. Would need to see
your ipsec.conf to see what's going on. Of course only ESP traffic would come
from ipsec0. There's nothing that's unencrypted that ever hits ipsec0 that I
know of. If you're seeing live traffic going across the tunnel, and not just
encrypted packets on eth0, that tells me that communication is up, but the
packets are being sent in the clear. a log message from IPSEC that says that
life is good would say something like this:
Apr 22 09:04:00 vpn1 Pluto[19699]: "dpapt-panhouse2" #928: sent MR3, ISAKMP
SA established
>
> 2) As I told, I'm using preshared secrets and have enabled IKE.
> Question is: the key used for crypto stuff is the one I defined on
> /etc/ipsec.secrets or that key is just for 'authenticating' IKE on both
> machines ?
PSKS are used as the base for IKE to authenticate to the remote machine so
that they can negotiate the 3DES keys used in the actual data encryption. The
3DES keys are re-negotiated at regular intervals so that noone who could
actually crack the key could crack it in time to decrypt live traffic.
>
> 3) Supposing its used just for IKE stuff ( which I mean is the correct
> answer for my question 2 ), which is the size of encription key supplied by
> IKE ? I mean, whats the crypto key size ? I know we're using 3DES, but its
> 96, 128, 256 bits ???
The 3DES spec always uses 128-bit keys (Actually, it's 3 56-bit keys, 1DES
uses 1 56-bit key). Now, crypto key sizes for the IKE negotiation depends on
the method you're using. For PSK, pretty much the key length is the length of
the PSK.
>
> Thanks for your attention and hope hearing from you soon,
> Leonardo Rodrigues
> Soluções IP
>
HTH's
Donavan Pantke
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:52 CEST