Thread: [Ipsec-tools-devel] group password in ipsec-tools
Brought to you by:
mit_warlord,
netbsd
From: Frank R. <fre...@ce...> - 2011-12-13 22:26:54
|
Hello, Hopefully, the following is an appropriate topic for this forum. If not, don't hesitate to let me know. I'm writing in search of a way to specify a single ISAKMP pre-shared key to cover a set of VPN endpoints I'm running in an environment where I want to share one key between a set of endpoints without manually defining a separate line in psk.txt for each endpoint. (Specifically, I'm using opennhrp, a software package that builds on-demand IPSec tunnels between endpoints whose IP addresses are unknown apriori.) At present, the only configuration solution I've found is to manually identify all of the endpoints in psk.txt: 10,10,1,1 this-is-my-key 10.20.1.1 this-is-my-key ... 10.30.1.1 this-is-my-key On Cisco routers, there is a capability to use a single ISAKMP key to cover an entire subnet. Example include: crypto isakmp key this-is-my-key address 10.0.0,0 255.0.0.0 (covers all of 10.0.0/8) OR crypto isakmp key this-is-my-key address 0.0.0.0 0.0.0.0 (allows any IP to connect with this ISAKMP key) A similar option does not appear to be availalbe in ipsec-tools. Am I mistaken? I am using ipsec-tools version 0.8.0: [root]# racoon -V @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Compiled with: - OpenSSL 1.0.0d-fips 8 Feb 2011 (http://www.openssl.org/) - IPv6 support - Dead Peer Detection - IKE fragmentation - Hybrid authentication - NAT Traversal - Admin port - Monotonic clock - Security context Thanks, Frank Renwick |
From: Jaco K. <ja...@ul...> - 2011-12-14 07:42:05
Attachments:
ipsec-tools-def-psk.patch
|
Hi, Doubt this will ever get merged mainline but I use the attached patch to set a "default" PSK if it can't be normally located. Tested and in use at at least four different sites. Diff is against ipsec-tools-0.8.0. Not as granular as 10.0.0.0/8 style thing, but the code would be MUCH harder to write, and seeing that I use this with L2TP/IPSec where I really do need the same PSK for the entire internet it's sufficient for my requirements. Kind Regards, Jaco On 12/14/11 00:26, Frank Renwick wrote: > Hello, > Hopefully, the following is an appropriate topic for this forum. If > not, don't hesitate to let me know. > I'm writing in search of away to specify a single ISAKMP pre-shared key > to cover a set of VPN endpoints I'm running in an environment where I > want to > share one key between a set of endpoints without manually > defining a separate line in psk.txt for each endpoint. (Specifically, > I'm using opennhrp, a software package that builds on-demand IPSec > tunnels between endpoints whose IP addresses are unknown apriori.) > At present, the only configuration solution I've found is to manually > identify all of the endpoints in psk.txt: > > 10,10,1,1 this-is-my-key > 10.20.1.1 this-is-my-key > ... > 10.30.1.1 this-is-my-key > > On Cisco routers, there is a capability to use a single ISAKMP key > to cover an entire subnet. Example include: > > crypto isakmp key this-is-my-key address 10.0.0,0 255.0.0.0 (covers > all of 10.0.0/8) > OR > crypto isakmp key this-is-my-key address 0.0.0.0 0.0.0.0 (allows any > IP to connect with this ISAKMP key) > > A similar option does not appear to be availalbe in ipsec-tools. Am I > mistaken? > I am using ipsec-tools version 0.8.0: > [root]# racoon -V > @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) > Compiled with: > - OpenSSL 1.0.0d-fips 8 Feb 2011 (http://www.openssl.org/) > - IPv6 support > - Dead Peer Detection > - IKE fragmentation > - Hybrid authentication > - NAT Traversal > - Admin port > - Monotonic clock > - Security context > Thanks, > Frank Renwick > > > ------------------------------------------------------------------------------ > Systems Optimization Self Assessment > Improve efficiency and utilization of IT resources. Drive out cost and > improve service delivery. Take 5 minutes to use this Systems Optimization > Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/ > > > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Frank R. <fre...@ce...> - 2011-12-14 16:00:09
|
Thanks for the input. I'll give it a try and let you know how it goes. frank _____ From: Jaco Kroon [mailto:ja...@ul...] Sent: Tuesday, December 13, 2011 23:42 To: Frank Renwick Cc: ips...@li... Subject: Re: [Ipsec-tools-devel] group password in ipsec-tools Hi, Doubt this will ever get merged mainline but I use the attached patch to set a "default" PSK if it can't be normally located. Tested and in use at at least four different sites. Diff is against ipsec-tools-0.8.0. Not as granular as 10.0.0.0/8 style thing, but the code would be MUCH harder to write, and seeing that I use this with L2TP/IPSec where I really do need the same PSK for the entire internet it's sufficient for my requirements. Kind Regards, Jaco On 12/14/11 00:26, Frank Renwick wrote: Hello, Hopefully, the following is an appropriate topic for this forum. If not, don't hesitate to let me know. I'm writing in search of a way to specify a single ISAKMP pre-shared key to cover a set of VPN endpoints I'm running in an environment where I want to share one key between a set of endpoints without manually defining a separate line in psk.txt for each endpoint. (Specifically, I'm using opennhrp, a software package that builds on-demand IPSec tunnels between endpoints whose IP addresses are unknown apriori.) At present, the only configuration solution I've found is to manually identify all of the endpoints in psk.txt: 10,10,1,1 this-is-my-key 10.20.1.1 this-is-my-key ... 10.30.1.1 this-is-my-key On Cisco routers, there is a capability to use a single ISAKMP key to cover an entire subnet. Example include: crypto isakmp key this-is-my-key address 10.0.0,0 255.0.0.0 (covers all of 10.0.0/8) OR crypto isakmp key this-is-my-key address 0.0.0.0 0.0.0.0 (allows any IP to connect with this ISAKMP key) A similar option does not appear to be availalbe in ipsec-tools. Am I mistaken? I am using ipsec-tools version 0.8.0: [root]# racoon -V @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) Compiled with: - OpenSSL 1.0.0d-fips 8 Feb 2011 (http://www.openssl.org/) - IPv6 support - Dead Peer Detection - IKE fragmentation - Hybrid authentication - NAT Traversal - Admin port - Monotonic clock - Security context Thanks, Frank Renwick ---------------------------------------------------------------------------- -- Systems Optimization Self Assessment Improve efficiency and utilization of IT resources. Drive out cost and improve service delivery. Take 5 minutes to use this Systems Optimization Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/ _______________________________________________ Ipsec-tools-devel mailing list Ips...@li... https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: VANHULLEBUS Y. <va...@fr...> - 2011-12-14 09:25:16
|
On Wed, Dec 14, 2011 at 09:41:45AM +0200, Jaco Kroon wrote: > Hi, Hi. > Doubt this will ever get merged mainline but I use the attached patch to > set a "default" PSK if it can't be normally located. "default PSK", "group password", etc... is just a bad idea when you are at least a bit concerned about security.... So no, it will probably never be merged mainstream, we already have enouth old and ugly things to help lowering security level of a configuration....... Yvan. |
From: Jaco K. <ja...@ul...> - 2011-12-14 10:33:49
|
Hi, Completely agree re the sentiment, unfortunately I have to support the Windows L2TP/IPSec setup, and that patch was the only way which I had to make that happen. Fortunately in my case that is the ONLY TIME I will ever use that option, and beyond the IPSec layer there is (fortunately) still a secondary layer of authentication in l2tp (ppp) itself using non-plaintext methods too. IIRC even from the Windows side it additionally makes use of MPPE encryption (required), so whilst I can warn/recommend to my clients, I can't dictate. Kind Regards, Jaco On 12/14/11 11:25, VANHULLEBUS Yvan wrote: > On Wed, Dec 14, 2011 at 09:41:45AM +0200, Jaco Kroon wrote: >> Hi, > Hi. > > >> Doubt this will ever get merged mainline but I use the attached patch to >> set a "default" PSK if it can't be normally located. > "default PSK", "group password", etc... is just a bad idea when you > are at least a bit concerned about security.... > So no, it will probably never be merged mainstream, we already have > enouth old and ugly things to help lowering security level of a > configuration....... > > > > Yvan. |
From: Frank R. <fre...@ce...> - 2011-12-14 16:07:07
|
I understand your position. In my opinion its always preferred to offer a wide range of configuration flexibility and allow the administrator to select appropirate parameters for his/her use case. However, from a standpoint of strict security, there is no arguing with your comments. Unfortunately this limits my ability to interoperate with some Cisco DMVPN deployments I am working with, but I can attempt to force the issue of migration to RSA signatures vs. pre-shared keys. Thanks, frank -----Original Message----- From: VANHULLEBUS Yvan [mailto:va...@fr...] Sent: Wednesday, December 14, 2011 01:25 To: Jaco Kroon Cc: Frank Renwick; ips...@li... Subject: Re: [Ipsec-tools-devel] group password in ipsec-tools On Wed, Dec 14, 2011 at 09:41:45AM +0200, Jaco Kroon wrote: > Hi, Hi. > Doubt this will ever get merged mainline but I use the attached patch > to set a "default" PSK if it can't be normally located. "default PSK", "group password", etc... is just a bad idea when you are at least a bit concerned about security.... So no, it will probably never be merged mainstream, we already have enouth old and ugly things to help lowering security level of a configuration....... Yvan. |