Frank Wille
2016-03-09 17:39:56 UTC
Hi!
First of all thanks to christos@ for his latest NAT-T SA patches! I'm sure
my company will grant a donation to the NetBSD project, when everything is
finally up and running.
Now I was able to write a small patch for Racoon, which requests "IKE mode
config" in "rsasig" (certificates on both sides only) authentication mode,
providing "mode_cfg" was configured to "on".
Today I successfully tested it with a Lancom router, using the following
configuration:
---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;
my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";
mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
How do we handle modifications in ipsec-tools? Just commit them locally into
the repository? Or do we also send patches to the ipsec-tools sourceforge
project?
Somebody familiar with the racoon source (maybe manu@?) should check my
patches first, to make sure they are really ok.
The last four lines were not required for the Lancom, but for testing with
an "rsasig" NetBSD/racoon gateway, which didn't identify itself with an
XAUTH vendor-id in this mode (while the Lancom does).
Sorry for all the logs and questions over the last days. I learned a lot
about IPsec during this time. :)
First of all thanks to christos@ for his latest NAT-T SA patches! I'm sure
my company will grant a donation to the NetBSD project, when everything is
finally up and running.
Now I was able to write a small patch for Racoon, which requests "IKE mode
config" in "rsasig" (certificates on both sides only) authentication mode,
providing "mode_cfg" was configured to "on".
Today I successfully tested it with a Lancom router, using the following
configuration:
---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;
my_identifier asn1dn;
certificate_type x509 "vpnclient15.crt" "vpnclient15.key";
ca_type x509 "ca.crt";
mode_cfg on;
dpd_delay 20;
nat_traversal on;
lifetime time 8 hour;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
How do we handle modifications in ipsec-tools? Just commit them locally into
the repository? Or do we also send patches to the ipsec-tools sourceforge
project?
Somebody familiar with the racoon source (maybe manu@?) should check my
patches first, to make sure they are really ok.
The last four lines were not required for the Lancom, but for testing with
an "rsasig" NetBSD/racoon gateway, which didn't identify itself with an
XAUTH vendor-id in this mode (while the Lancom does).
Sorry for all the logs and questions over the last days. I learned a lot
about IPsec during this time. :)
--
Frank Wille
Frank Wille