IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Shared Secrets using SSH Sentinal fails

From: Ruben I Safir (ruben_at_mrbrklyn.com)
Date: Sun Jun 30 2002 - 17:27:01 CEST

Hello

I've been knocking myself out trying to get the shared secrets
to work between Frees/Wan and SSH Sentinal. I've poured over documentation
and I'm completely out of ideas.

I have a NON patched version of FreeS/Wan running on a server

The Server has worked BEAUTIFULLY from Linux to Linux.

My ipsec.conf looks like this:

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=all
        plutodebug=all
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # RSA authentication with keys from DNS.
        #authby=rsasig
        authby=secret
        #leftrsasigkey=%dns
        #rightrsasigkey=%dns

# connection description for (experimental!) opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
        left=%defaultroute
        right=%opportunistic
        # uncomment to enable incoming; change to auto=route for outgoing
        #auto=add

conn mrbrklyn-rmcpa
        # Left security gateway, subnet behind it, next hop toward right.
        leftid=@www2.mrbrklyn.com
        leftrsasigkey=some long key
        left=216.254.112.136
        leftsubnet=10.0.0..0/24
        leftnexthop=216.254.112.1
        # Right security gateway, subnet behind it, next hop toward left.
        rightid=@ghost.rm-cpa.com
        rightrsasigkey=some long key
        right=216.112.229.115
        rightsubnet=192.168.0.0/24
        rightnexthop=216.112.229.113
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        auto=add

conn www2-ghost
        # Left security gateway, subnet behind it, next hop toward right.
        leftid=@www2.mrbrklyn.com
        leftrsasigkey=some long key
        left=216.254.112.136
        leftnexthop=216.254.112.1
        # Right security gateway, subnet behind it, next hop toward left.
        rightid=@ghost.rm-cpa.com
        rightrsasigkey=some long key
        right=216.112.229.115
        rightnexthop=216.112.229.113
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        auto=add

conn www2-rmcpa
        # Left security gateway, subnet behind it, next hop toward right.
        leftid=@www2.mrbrklyn.com
        leftrsasigkey=some long key
        left=216.254.112.136
        leftnexthop=216.254.112.1
        # Right security gateway, subnet behind it, next hop toward left.
        rightid=@ghost.rm-cpa.com
        rightrsasigkey=some long key
        right=216.112.229.115
        rightnexthop=216.112.229.113
        rightsubnet=192.168.0.0/24
        # To authorize this connection, but not actually start it, at startup,
        # uncomment this.
        auto=add

conn rmcpalap
        type=tunnel
        left=216.112.229.115
        leftnexthop=216.112.229.113
        leftsubnet=192.168.0.0/24
        right=0.0.0.0
                rightnexthop=
                rightsubnet=
                keyexchange=ike
                keylife=8h
                pfs=yes
                authby=secret
                auto=add

ipsec.secrets is this
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.

216.112.229.115 %any: PSK "THE STUPID SECRET"

# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA {
        # RSA 2048 bits phantom.rm-cpa.com Tue Sep 25 17:51:20 2001
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=some long key
        # (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
        Modulus: some long key
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: some long key
        Prime1: Some Long Key
        Exponent1: Some Long Key
        Exponent2: Some Long Key
        Coefficient: Some Long Key
        }
# do not change the indenting of that "}"

Originally, when I had the %default authby=rsasig it complained that I was using the wrong certificate,
regardless of having the 'new preshared key' selected for the authenticity key.

Now the IKE window is saying

0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { b6160729 b9000000 - 7b7113b1 1152b34e [-1] / 0x00000000 } IP; No pre shared key found
0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { b6160729 b9000000 - 7b7113b1 1152b34e [-1] / 0x00000000 } IP; No pre shared key found
0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { b6160729 b9000000 - 7b7113b1 1152b34e [-1] / 0x00000000 } IP; Error = Authentication failed (24)
unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 216.112.229.115:500
unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 216.112.229.115:500
0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { 88b95a6e c0000001 - a51dbf97 cb047c56 [-1] / 0x00000000 } IP; No pre shared key found
0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { 88b95a6e c0000001 - a51dbf97 cb047c56 [-1] / 0x00000000 } IP; No pre shared key found
0.0.0.0:500 (Initiator) <-> 216.112.229.115:500 { 88b95a6e c0000001 - a51dbf97 cb047c56 [-1] / 0x00000000 } IP; Error = Authentication failed (24)
unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 216.112.229.115:500
unknown (unknown) <-> unknown { unknown [unknown] / unknown } unknown; Packet to unknown Isakmp SA, ip = 216.112.229.115:500

I need the RSA Authentication AND the Preshared Secret to work. I've poured over SSH's docs and FreeSwans
docs. I'm at a complete loss.

One more point, the pre-shared secrets window in Sentinal should take Cut and Paste better.

And as a general question, why does SSH recommend in it's documentation to make 3 keys with openssl
in it's document VPN Connection with Certificates to FreeS/WAN Security Gateway.? 

-- 
__________________________

Brooklyn Linux Solutions
__________________________
http://www.mrbrklyn.com - Consulting
http://www.brooklynonline.com - For the love of Brooklyn
http://www.nylxs.com - Leadership Development in Free Software
http://www.nyfairuse.org - The foundation of Democracy
http://www2.mrbrklyn.com/resources - Unpublished Archive or stories and articles from around the net
http://www2.mrbrklyn.com/mp3/dr.mp3 - Imagine my surprise when I saw you...
http://www2.mrbrklyn.com/downtown.html - See the New Downtown Brooklyn....

1-718-382-5752

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST