From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Nov 13 2002 - 11:05:21 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 12 Nov 2002, Jason McCormick wrote:
> conn work
> esp=3des-md5-96
> espenckey=0x2aa56f5d{somekey}
> espauthkey=0xfe9dcc11{somekey}
> spi=0x{HEX}
> left=10.0.0.2
> leftsubnet=10.0.0.0/24
> leftnexthop=10.0.0.1
> # Left security gateway, subnet behind it, next hop toward right.
> # Right security gateway, subnet behind it, next hop toward left.
> right=11.11.11.3
> rightsubnet=172.16.2.0/23
> rightnexthop=11.11.11.1
> # To authorize this connection, but not actually start it, at startup,
> # uncomment this.
> auto=start
>
> I guess I have several questions (If this is covered in the FAQ please point
> me to it because I'm not seeing my exact needs)
>
> 1) Do I enter the exact same string in both espenckey= in the ipsec.conf and
> the "Cipher Key" field? And what I have in espauthkey= in the "HMAC Key"
> field? Are these values identical in both cases? Borderware gave me this
> configuration but wasn't clear if it was the same value or what.
What you've suggested as correspondances between CipherKey and HMAC key seem
reasonable.
Okay, so you're going to manually key: rule #1 - you can't use "auto=start".
You've can use our "manualstart" parameter in ipsec.conf, or "ipsec manual
- --up work" as a command command. You can read the man page for ipsec.conf plus
ipsec_manual and ipsec_spi for a lot more information on what you're trying to
do.
You may also benefit from a read through our interop document; however, our
Borderware references have little similarity to the configuration you're
attempting.
http://www.freeswan.ca/code/old/freeswan-Snapshot/doc/interop.html#borderware
> 2) If my home LAN is 10.0.0.0/23, my local workstation is .2, the DSL router
> .1 and the external side of the DSL router as, say, 2.2.2.2 do I have those
> values correct?
It certainly seems correct for a NAT setup; however, I can't speak for the
Borderware's configuration.
> The configuration seems to work with the ipsec commands,
(I assumed from seeing "auto=start" that you didn't realize the distinction
between auto and manual; perhaps I was mistaken, but it's an simple reason as
to why you'd be getting these errors.)
> but the connection
> never establishes itself. The firewall reports that it's rejecting the
> connection at "phase 1" but I think it's due to configuration error. Can
> anyone help?
Phase 1 represents IKE keying; if you're manually keying the connection,
however, the borderware shouldn't be complaining about this. Perhaps it is
choosing the wrong "configuration", and, thinking you're a generic
Roadwarrior of some kind, tries to negotiate a PSK conn (and fails). Any
interesting FreeS/WAN log messages as a result?
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPdIj4kOSC4btEQUtAQGwVwQAhWDQB+ovYJQWCVegKY9ar3CiV33lensK
xxh+zEejbINaFOgNn9yHOf481ee9/N1nKi4ElbbXBDpcDWiq9h17PT4WQXa1G3ZW
rfV+4xJSeLw1INeDQPIE9o3+ZqW86hHn6fhlXa/nfBpOKkY6qwyXBkfKz2o1Tod7
bcE+2RPeL3w=
=n3Pw
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Nov 15 2002 - 05:20:49 CET