Re: [Users] shared secrets in roadwarrior setup

From: Sam Sgro (sam_at_freeswan.org)
Date: Thu Nov 28 2002 - 08:46:52 CET

• Next message: Marc Tinnemeyer: "[Users] load balancing freeS/WAN"
• Previous message: Sam Sgro: "Re: [Users] VPN between two dynamic IPs"
• Maybe in reply to: Falk Siemonsmeier: "[Users] shared secrets in roadwarrior setup"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

> > The easiest way for us to quickly debug this is to see the output of the
> > "ipsec barf" command from both machines. Ideally, put them up on the web and
> > post a link here.
>
> Hy,
> ok I have the two files on falk...... Its a test suite so the
> shared secret is very short but it should work I think.

the first barf looks as if you tried to grab it as a non-root user; I think
we're missing some critical info as a result.

As well, I'm not seeing any log files, which is also curious. However,
"barflog2" seems to think everything is grand... anyhow... having seen your
barfs, your problem is a bit clearer now.

I do see a problem with the PSK in barflog1, since you're trying a
Roadwarrior-type of setup. 0.0.0.0 is deceptive; it will not consider *you* as
a potential IP when determining a match. To elaborate:

10.0.4.20 0.0.0.0 : PSK "mysecret"

...will not work if 10.0.4.20 is meant to represent your peer. %any, or
0.0.0.0, will only consider any IP address for your peer. It's a bit annoying,
I admit; we're considering altering this behavior. Here are a few options.

1) You can fix this on the Roadwarrior side by defining a PSK with no index
(see the man page for ipsec.secrets):

: PSK "mysecret"

This will match *any* host and peer combination for the Roadwarrior.

2) Really, PSKs aren't suited to Roadwarrior setups. To make a long story
short, the IPSec protocols mandate that you can only have one PSK for all your
roadwarriors.

If you're stuck with it... on the static side, define the PSK as follows:

10.0.4.20 : PSK "mysecret"

On the dynamic side, use an "id" to refer to yourself. Add this to the
connection:

right=@dynamic.falk

Change the ipsec.secrets PSK entry on the dynamic machine to this:

10.0.4.20 @dynamic.falk : PSK "mysecret"

3) You're better off using RSA sigkeys, given that you're trying to get
FreeS/WAN boxen to communicate. Read through the config document; it's really
quite easy, using leftid/rightid and getting the rsasigkeys via "ipsec
showhostkey --left" etc.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPeXJ7UOSC4btEQUtAQEcnAP+IABU+vUfglv3EAQJFwOyxPPhBkKkdfBs
dYk6gdpFxa9qYW75yPxstI8cijPdXQcbDN42kIkIx7iH8ajMNAl5CbQUrv93Jfpi
OSCCG8orRZ2EYeZmFO864z93x5+3uG8M/roZw1UvvA7ZQ36EIL/b22CaUtrrK1CO
w3aYryTdSAY=
=Q8aM
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Marc Tinnemeyer: "[Users] load balancing freeS/WAN"
• Previous message: Sam Sgro: "Re: [Users] VPN between two dynamic IPs"
• Maybe in reply to: Falk Siemonsmeier: "[Users] shared secrets in roadwarrior setup"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 29 2002 - 05:21:11 CET