IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] creating shared secret conn

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Jul 09 2002 - 08:03:06 CEST

Hi Steve,

these IDs must be coded as KEY_IDs which are supported
by the X.509 patch. Since this ID type is also used by PGPnet
for the key IDs of OpenPGP IDs, they must be entered in HEX
Format.

Thus "sonic" must be converted to HEX by e.g. the command

   echo -n "sonic" | od -t x1
   0000000 73 6f 6e 69 63

and

echo -n "freeswan" | od -t x1
0000000 66 72 65 65 73 77 61 6e

and you can write

conn happy
      left=1.2.3.4
      leftsubnet=192.168.90.0/24
      leftid=@#736f6e6963
      right=%defaultroute
      rightid=@#667265657377616e
      authby=secret
      auto=start

and

@#736f6e6963 @#667265657377616e : PSK "this is not my shared secret"

As Sam Sgro correctly pointed out, this is not going to work
with road warriors possessing dynamic IP addresses since the
KEY_ID will be transmitted in encrypted form and in order to
decrypt it you will need the preshared secret. Therefore all
road warriors must share the same secret.

SonicWall uses these KEY_IDs in connection with Aggressive Mode
where the ID is transmitted unencrypted. FreeS/WAN does not
support Aggressive Mode.

Regards

Andreas

Steve Feehan wrote:
> I'm trying to create a shared secret conn from freeswan (right) to
> a sonicwall firewall (left). Redhat 7.2, using the 1.98 rpms. Here's
> the error I get when I do 'service ipsec start' :
>
> Jul 8 13:47:03 localhost ipsec_setup: ...FreeS/WAN IPsec started
> Jul 8 13:47:03 localhost ipsec__plutorun: 027 bad left --id: illegal (non-DNS-name) character in name (ignored)
> Jul 8 13:47:03 localhost ipsec__plutorun: 027 bad right --id: does not look numeric and name lookup failed (ignored)
> Jul 8 13:47:03 localhost ipsec__plutorun: ...could not add conn "happy"
>
> Here's the excerpt from the ipsec.conf file:
>
> conn happy
> left=1.2.3.4
> leftsubnet=192.168.90.0/24
> leftid="sonic"
> right=%defaultroute
> rightid="freeswan"
> authby=secret
> auto=start
>
> I've created an ipsec.secrets file of the form:
>
> 1.2.3.4 : PSK "this is not my shared secret"
>
>
> Any clues as to the bad left and right --id errors? Thanks!

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:19 CEST