From: <ma...@ne...> - 2004-10-22 01:25:22
|
Hi I started working on Hybrid auth client side. I have been able to connect to racoon, using ESP transport mode. The code is there: http://ftp.espci.fr/shadow/manu/hybridclient.patch It's not good for committing yet (at least the documentation is missing), but it's good for being reviewed. A new my_identifier type is introduced: login. The login/password pair is stored in the psk file. Here is the config file. 192.0.2.1 is the VPN concentrator, 192.0.2.2 is the road warrior client. path certificate "/etc/openssl/certs"; path pre_shared_key "/etc/racoon/psk.txt"; listen { isakmp 192.0.2.2; isakmp_natt 192.0.2.2[4500]; } remote 192.0.2.1 { exchange_mode aggressive; certificate_type x509 "/dev/null" "/dev/null"; proposal_check obey; generate_policy on; nat_traversal on; my_identifier login "alupin"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method hybrid_rsa_client; dh_group 2; } } sainfo address 192.0.2.1 any address 192.0.2.2 any { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 192.0.2.2 any address 192.0.2.1 any { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } SPD was loaded with this: spdadd 192.0.2.1 192.0.2.2 any -P in ipsec esp/transport//require spdadd 192.0.2.2 192.0.2.1 any -P out ipsec esp/transport//require; Now the problems: 1) is the fake certificate_type x509 line something we can stand? I need it because I need the certificate type the server will send. As the client does not use a certificate, I have to use /dev/null for the files. Maybe we can have an alternate syntax without the file names? 2) I don't get the network configuration information from the VPN concentrator yet. It should give me an internal IP. How can I setup the tunnel with this IP once I'll get it? 3) I think about road warrior use: in an ideal world, we would have a config with SA to create automatically on startup, and we would get the VPN when launching racoon without havint to touch setkey. Do you think that it is something possible? Reasonnable? Tommorrow, I'll test that with the IKE frag receiver patch I've submitted the other day. -- Emmanuel Dreyfus Il y a 10 sortes de personnes dans le monde: ceux qui comprennent le binaire et ceux qui ne le comprennent pas. ma...@ne... |