Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#9 how to force all clients to use ipsec ??

racoon
closed
nobody
5
2005-01-13
2005-01-11
kappen
No

I am trying to get racoon to force all the connections
to a server to use certificats ! Can this be done ...

I have tried several things and it do not work....

1 Can i do it in the racoon.conf ??

path include "/etc/racoon";
# path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote anonymous
{
exchange_mode aggressive,main,base;
generate_policy on;
my_identifier asn1dn;
peers_identifier asn1dn;
# verify_identifier on;
certificate_type x509 "xxx.public" "xxx.private";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

2 Or in a ifcfg-ipsec0 ??

SRC=0.0.0.0
DST=0.0.0.0
TYPE=IPSEC
ONBOOT=YES
IKE_METHOD=X509
IKE_CERTFILE=xxx

I keep getting this lines in the setkey -D -P

0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Jan 11 13:19:33 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=67 seq=3 pid=32012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Jan 11 13:19:33 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=51 seq=2 pid=32012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Jan 11 13:19:33 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=76 seq=1 pid=32012
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Jan 11 13:19:33 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=60 seq=0 pid=32012
refcnt=1

And every on can access what ever with out ipsec active !

Thanks
Kappen

Discussion

  • kappen
    kappen
    2005-01-13

    Logged In: YES
    user_id=1194818

    I figurde out how to do it ......

     
  • kappen
    kappen
    2005-01-13

    • status: open --> closed
     
  • Mike Robinson
    Mike Robinson
    2005-05-12

    Logged In: YES
    user_id=854356

    When you say, "everyone can access whatever without ipsec
    active ..." is there another pathway into this machine
    that is open to them? One that does not go through ipsec?
    Do you see any racoon-generated log entries showing that
    they ever came through? I mean, if there's a wide-open
    window beside a sturdily locked door... :) And believe
    me, that's very easy to do.

     
  • Mike Robinson
    Mike Robinson
    2005-06-10

    Logged In: YES
    user_id=854356

    I think that I learned more about this...

    The answer seems to be with "setkey," in the "spdadd"
    specification and the keyword, "require." This keyword
    says that all traffic which matches the rule MUST have ah
    or esp (as appropriate) information as part of the packet.
    If you fail to do this, amazingly enough, unencrypted
    traffic can pass through the link.