[Ipsec-tools-devel] Hybrid auth client support

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi

I started working on Hybrid auth client side. I have been able to
connect to racoon, using ESP transport mode. 

The code is there:   
http://ftp.espci.fr/shadow/manu/hybridclient.patch

It's not good for committing yet (at least the documentation is
missing), but it's good for being reviewed.

A new my_identifier type is introduced: login. The login/password pair
is stored in the psk file.

Here is the config file. 192.0.2.1 is the VPN concentrator, 192.0.2.2 is
the road warrior client.

path certificate "/etc/openssl/certs";
path pre_shared_key "/etc/racoon/psk.txt";

listen {
        isakmp 192.0.2.2;
        isakmp_natt 192.0.2.2[4500];
}

remote 192.0.2.1 {
        exchange_mode aggressive;
        certificate_type x509 "/dev/null" "/dev/null";
        proposal_check obey;
        generate_policy on;
        nat_traversal on;
        my_identifier login "alupin";
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method hybrid_rsa_client;
                dh_group 2;
        }
}

sainfo address 192.0.2.1 any address 192.0.2.2 any {
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, cast128, blowfish 448;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;
}

sainfo address 192.0.2.2 any address 192.0.2.1 any {
        pfs_group 2;
        lifetime time 12 hour ;
        encryption_algorithm 3des, cast128, blowfish 448;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;
}

SPD was loaded with this:
spdadd 192.0.2.1 192.0.2.2 any -P in ipsec esp/transport//require
spdadd 192.0.2.2 192.0.2.1 any -P out ipsec esp/transport//require;

Now the problems:

1) is the fake certificate_type x509 line something we can stand? I need
it because I need the certificate type the server will send. As the
client does not use a certificate, I have to use /dev/null for the
files. Maybe we can have an alternate syntax without the file names?   

2) I don't get the network configuration information from the VPN
concentrator yet. It should give me an internal IP. How can I setup the
tunnel with this IP once I'll get it?

3) I think about road warrior use: in an ideal world, we would have a
config with SA to create automatically on startup, and we would get the
VPN when launching racoon without havint to touch setkey. Do you think
that it is something possible? Reasonnable?

Tommorrow, I'll test that with the IKE frag receiver patch I've
submitted the other day.

-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
ma...@ne...