[Ipsec-tools-devel] Per Port IPSEC + Racoon + Linux
Brought to you by:
mit_warlord,
netbsd
From: Buddy V. <kur...@gm...> - 2005-10-21 21:59:44
|
I can currently set SA/SP combinations using pre-shared keys to protect traffic bound to a single port. For example, I can use IPsec to only encryp= t http traffic directed to and recieved from port 80 between two machines. I would like to be able to do this with racoon to establish the SA's while using the same security polices. Unfortunately, I cannot seem to get this t= o work. In the following example, machine 1 in the server and machine 2 is th= e client. Here are the SP configurations... ****MACHINE 1**** spdadd 192.168.10.1 <http://192.168.10.1> 192.168.10.2 <http://192.168.10.2>[80] any -P in ipsec esp/transport//unique ah/transport//unique; spdadd 192.168.10.2 <http://192.168.10.2> [80] 192.168.10.1<http://192.168.10.1>any -P out ipsec esp/transport//unique ah/transport//unique; ****MACHINE 2**** spdadd 192.168.10.1 <http://192.168.10.1> 192.168.10.2 <http://192.168.10.2>[80] any -P out ipsec esp/transport//unique ah/transport//unique; spdadd 192.168.10.2 <http://192.168.10.2> [80] 192.168.10.1<http://192.168.10.1>any -P in ipsec esp/transport//unique ah/transport//unique; --------------------------------------------------------------- Here are the racoon configurations... ****MACHINE 1**** path certificate "/etc/racoon/certs"; remote 192.168.10.1 <http://192.168.10.1> { exchange_mode main; certificate_type x509 "A1232_cert.pem" "A1232_key.cleartext.pem"; verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } sainfo address 192.168.10.2 <http://192.168.10.2> [80] any address 192.168.10.1 <http://192.168.10.1> any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ****Machine 2**** # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path certificate "/etc/racoon/certs"; remote 192.168.10.2 <http://192.168.10.2> { exchange_mode main; certificate_type x509 "A1234_cert.pem" "A1234_key.cleartext.pem"; verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group modp1024; } } sainfo address 192.168.10.1 <http://192.168.10.1> any address 192.168.10.2<http://192.168.10.2>[80] any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } In this configuration, it seems that the server cannot match the policy the sainfo directive from the racoon.conf file. I get a "ERROR: failed to get sainfo" during the phase 2 negotiation. Any help would be appreciated. ~Buddy |