[linux] ipsec verbinding naar zo'n lucent firewall brick

Folkert van Heusden folkert op vanheusden.com
Di Mrt 27 20:38:47 CEST 2007 

Hi,

Graag wil ik een ipsec tunnel opzetten naar een lucent firewall brick.
Dat lukt niet.

Gegevens:
- endpoint adres is HOST
- er is een user identity (een username)
- er is een password
- en er is een group key
- udp encapsulation over port 501

ipsec-tools geinstalleerd
distributie is overigens slackware dus alles moet met de hand

Als ik ga connecten dan gebeurd er niets. De ping die ik doe om e.e.a.
in gang te zetten timed out en in de racoon logging gebeurd er niks
afgezien van alleen dit:
setkey -f /etc/setkey.conf ; racoon -F -f /etc/racoon/racoon.conf
Foreground mode.
2007-03-27 20:28:01: INFO: @(#)ipsec-tools 0.5-rc1 (http://ipsec-tools.sourceforge.net)
2007-03-27 20:28:01: INFO: @(#)This product linked OpenSSL 0.9.8d 28 Sep 2006 (http://www.openssl.org/)
2007-03-27 20:28:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2007-03-27 20:28:01: INFO: 213.84.46.114[500] used as isakmp port (fd=7)
2007-03-27 20:28:01: INFO: 192.168.64.1[500] used as isakmp port (fd=8)
2007-03-27 20:28:01: INFO: 192.168.67.1[500] used as isakmp port (fd=9)
2007-03-27 20:28:01: INFO: 192.168.59.1[500] used as isakmp port (fd=10)
2007-03-27 20:28:01: INFO: ::1[500] used as isakmp port (fd=11)
2007-03-27 20:28:01: INFO: fe80::210:4bff:feb0:c878%eth0[500] used as isakmp port (fd=12)
2007-03-27 20:28:01: INFO: fe80::211:d8ff:fe25:1e86%eth1[500] used as isakmp port (fd=13)
2007-03-27 20:28:01: INFO: fe80::210:a7ff:fe24:bee2%eth2[500] used as isakmp port (fd=14)
2007-03-27 20:28:01: INFO: fe80::f061:63ff:fe0a:6324%usb0[500] used as isakmp port (fd=15)

De setkey.conf is:
-----------------
#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 192.168.64.0/24 192.168.0.0/24 any -P out ipsec
           esp/tunnel/213.84.46.114-HOST/require;

spdadd 192.168.0.0/24 192.168.64.0/24 any -P in ipsec
           esp/tunnel/HOST-213.84.46.114/require;

In racoon.conf staat:
--------------------
path pre_shared_key "/etc/racoon/psk.txt";

remote HOST {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 192.168.64.0/24 any address 192.168.0.0/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}


En in "/etc/racoon/psk.txt" heb ik gezet:
----------------------------------------
HOST HIERDEGROUPKEY

Dat ik daar de groupkey moet zetten is een gok.
Zowiezo heb ik geen idee waar ik die uesername/password moet invullen.

In de logging van de lucent ipsec client onder windows zie ik deze logging:
10/27/06  19:37:57  IKE/IKE Started Enable Secure Access to TEP: HOST (HOST) for user USER
19:37:58  IKE/IKE Source IP Address, Port for IKE : 192.168.182.14, 1324
19:37:58  IKE/IKE Contacted VPN gateway (HOST)
19:37:59  IKE/IKE User Authentication Successful.
19:37:59  IKE/IKE Tunnel Parameters received from gateway are:
	 Encryption : AES256 CBC  Authentication : SHA1   
	 Tunnel transport method:  UDP-Encapsulated on Port 501
	 Authentication Timeout: 240 Minutes
	 Heartbeat Interval: 300 Seconds
	 Internal IP for local presence :192.168.0.140 
	 Pri. DNS  :192.168.0.6  Sec. DNS  :192.168.0.2 
	 Pri. WINS :0.0.0.0  Sec. WINS :0.0.0.0 
	 HostList: 192.168.0.0-192.168.0.255,192.168.0.140, 
	 Tunnel administrator does not allow you to save password
	 Orig Pri. WINS :  Orig Sec. WINS : 
	 Firewall Policy: Allow Client Initiated Traffic
10/27/06  19:37:59  IKE/IKE IPSec SA SPIs:  Inbound: 0x f47,  Outbound: 0x a0141010
10/27/06  19:37:59  IKE/IKE Successfully established VPN Tunnel to TEP HOST for User USER 


Ben niet zo thuis in de wonderlijke ipsec wereld. Nogal (zinloos?)
uitgebreid.


Folkert van Heusden

-- 
MultiTail er et flexible tool for å kontrolere Logfiles og commandoer.
Med filtrer, farger, sammenføringer, forskeliger ansikter etc.
http://www.vanheusden.com/multitail/
----------------------------------------------------------------------
Phone: +31-6-41278122, PGP-key: 1F28D8AE, www.vanheusden.com

More information about the Linux mailing list