[BSD] racoon

Papp Tamas tompos at martos.bme.hu
2003. Sze. 16., K, 17:10:17 CEST 

Na, csak elfelejtettem csatolni.

tompos

On Tue, Sep 16, 2003 at 05:08:57PM +0200, Papp Tamas wrote:
> helo!
> 
> Bar ez nem bsd, linux, remelem nem baj, hogy itt teszem fel a kerdest.
> A linuxos korokben valoszinu nem kapnek valaszt a kerdesemre, hisyen
> ott meg csak most fog megjelenni a kernelben, viszont FBSD-ben mar
> regebb ota benne van.
> Allitsatok le, ha megis baj:)
> 
> Szoval ez all a logokban:
> 
> Sep 16 16:40:53 proxy racoon: DEBUG: localconf.c:253:getpathname():
> filename: /etc/racoon/certs/ca.k
> ey
> Sep 16 16:40:53 proxy racoon: ERROR: oakley.c:1535:oakley_getsign():
> failed to get private key.
> Sep 16 16:40:53 proxy racoon: ERROR: isakmp.c:625:ph1_main(): failed
> to process packet.
> Sep 16 16:40:53 proxy racoon: ERROR: isakmp.c:439:isakmp_main():
> phase1 negotiation failed.
> Sep 16 16:40:54 proxy racoon: DEBUG: isakmp.c:220:isakmp_handler():
> ===
> 
> A ket gepet a http://www.wiretapped.net/~fyre/ipsec/ oldalon talalhato
> leiras alapjan allitottam be, nem tunt bonyolultnak, szoval valoszinu
> nem kattintottam el semmit, vagy ilyesmi.
> 
> A racoon.conf-ot persze meg tudom mutatni, csatolom.
> 
> Illetve itt van az ipsec.conf, amit setkey -f -fel toltok be.
> A .254-es ip-ju gep a linux a masik a windows.
> 
> spdadd 192.168.2.254/32 192.168.2.168/32 any -P out ipsec
>  esp/transport/192.168.2.254-192.168.2.168/require;
> spdadd 192.1.1.168/32 192.2.168.254/32 any -P in ipsec
>  esp/transport/192.168.2.168-192.168.2.254/require;
> 
> Egyebkent egy belso, natolt halozat egyik gepe es a natolo gw kozott
> probalom felebreszteni a kapcsolatot. Ha vki esetleg igenyli, tudok
> kuldeni teljesebb logreszletet kuldeni maganban.
> 
> Nagyon kellene vmi jo otlet.
> 
> koszi,
> 
> Ja, google-n semmi erdekeset nem talaltam:/
> 
> tompos
> _______________________________________________
> BSD levlista
> BSD at hu.freebsd.org
> http://www.hu.freebsd.org/hu/mailman/listinfo/bsd
> 
--------- következő rész ---------
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/etc/racoon" ;
#include "remote.conf" ;

# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/racoon/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative's port by kmpstat.
	#strict_address; 	# required all addresses must be bound.
}

# Specification of default various timer.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 90 sec;
	phase2 60 sec;
}

remote anonymous
{
	exchange_mode main,aggressive;
	#exchange_mode aggressive,main;
	doi ipsec_doi;
	situation identity_only;

	#my_identifier address;
	my_identifier user_fqdn "tompos at proxy.ceg.hu";
	peers_identifier user_fqdn "tompos at proxy.ceg.hu";
	certificate_type x509 "ca.crt" "ca.key";
	peers_certfile "teszt.crt";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour
	initial_contact on;
	support_mip6 on;
	proposal_check obey;	# obey, strict or claim

	proposal {
		encryption_algorithm 3des;
#		hash_algorithm sha1;
		hash_algorithm md5;
#		authentication_method pre_shared_key ;
		authentication_method rsasig ;
		dh_group 2 ;
	}
}

#remote ::1 [8000]
#{
#	#exchange_mode main,aggressive;
#	exchange_mode aggressive,main;
#	doi ipsec_doi;
#	situation identity_only;
#
#	my_identifier user_fqdn "sakane at kame.net";
#	peers_identifier user_fqdn "sakane at kame.net";
#	#certificate_type x509 "mycert" "mypriv";
#
#	nonce_size 16;
#	lifetime time 1 min;	# sec,min,hour
#
#	proposal {
#		encryption_algorithm 3des;
#		hash_algorithm sha1;
#		authentication_method pre_shared_key ;
#		dh_group 2 ;
#	}
#}

sainfo anonymous
{
	pfs_group 1;
	lifetime time 30 sec;
	encryption_algorithm 3des ;
#	authentication_algorithm hmac_sha1;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate ;
}

#sainfo address 203.178.141.209 any address 203.178.141.218 any
#{
#	pfs_group 1;
#	lifetime time 30 sec;
#	encryption_algorithm des ;
#	authentication_algorithm hmac_md5;
#	compression_algorithm deflate ;
#}

#sainfo address ::1 icmp6 address ::1 icmp6
#{
#	pfs_group 1;
#	lifetime time 60 sec;
#	encryption_algorithm 3des, cast128, blowfish 448, des ;
#	authentication_algorithm hmac_sha1, hmac_md5 ;
#	compression_algorithm deflate ;
#}

További információk a(z) BSD levelezőlistáról