[Ipsec-tools-devel] Per Port IPSEC + Racoon + Linux
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-devel] Per Port IPSEC + Racoon + Linux
|
From: Buddy V. <kur...@gm...> - 2005-10-21 21:59:44
|
I can currently set SA/SP combinations using pre-shared keys to protect
traffic bound to a single port. For example, I can use IPsec to only encryp=
t
http traffic directed to and recieved from port 80 between two machines. I
would like to be able to do this with racoon to establish the SA's while
using the same security polices. Unfortunately, I cannot seem to get this t=
o
work. In the following example, machine 1 in the server and machine 2 is th=
e
client.
Here are the SP configurations...
****MACHINE 1****
spdadd 192.168.10.1 <http://192.168.10.1> 192.168.10.2
<http://192.168.10.2>[80] any -P in ipsec
esp/transport//unique
ah/transport//unique;
spdadd 192.168.10.2 <http://192.168.10.2> [80]
192.168.10.1<http://192.168.10.1>any -P out ipsec
esp/transport//unique
ah/transport//unique;
****MACHINE 2****
spdadd 192.168.10.1 <http://192.168.10.1> 192.168.10.2
<http://192.168.10.2>[80] any -P out ipsec
esp/transport//unique
ah/transport//unique;
spdadd 192.168.10.2 <http://192.168.10.2> [80]
192.168.10.1<http://192.168.10.1>any -P in ipsec
esp/transport//unique
ah/transport//unique;
---------------------------------------------------------------
Here are the racoon configurations...
****MACHINE 1****
path certificate "/etc/racoon/certs";
remote 192.168.10.1 <http://192.168.10.1> {
exchange_mode main;
certificate_type x509 "A1232_cert.pem" "A1232_key.cleartext.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 192.168.10.2 <http://192.168.10.2> [80] any address
192.168.10.1 <http://192.168.10.1> any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
****Machine 2****
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path certificate "/etc/racoon/certs";
remote 192.168.10.2 <http://192.168.10.2> {
exchange_mode main;
certificate_type x509 "A1234_cert.pem" "A1234_key.cleartext.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 192.168.10.1 <http://192.168.10.1> any address
192.168.10.2<http://192.168.10.2>[80] any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
In this configuration, it seems that the server cannot match the policy the
sainfo directive from the racoon.conf file. I get a "ERROR: failed to get
sainfo" during the phase 2 negotiation. Any help would be appreciated.
~Buddy
|