[Ipsec-tools-devel] Phase 2 transform mismatch (continued)
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-devel] Phase 2 transform mismatch (continued)
|
From: Jigar S. <so...@gm...> - 2009-01-16 09:18:24
|
> Hi Timo & Jigar,
>
Hi,
my config now looks like this:
>
> path include "/etc/racoon";
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
>
> sainfo anonymous
> {
> #pfs_group 1;
> lifetime time 4 hour ;
> # encryption_algorithm 3des, blowfish 448, rijndael ;
> # authentication_algorithm hmac_sha1, hmac_md5 ;
> encryption_algorithm 3des;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
> }
>
> remote anonymous
> {
> exchange_mode aggressive;
> generate_policy on;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
>
>
> I've also created two spadd commands into a file called ipsec.conf and
> imported it by invoking setkey -f as directed. I looked at the
> documentation and the syntax I came up with is:
>
> spdadd 128.135.12.230 128.135.19.61 any -P in ipsec
> esp/transport/128.135.12.230-128.135.19.61/require;
> spdadd 128.135.19.61 128.135.12.230 any -P out ipsec
> esp/transport/128.135.19.61-128.135.12.230/require;
>
There is a little missunderstanding here.
When the generate_policy directive is used, you do not need to specify
manually your security policies in that file like you did.
So, if you want your RH to automatically create SPD entries, you use
generate_policy directive only.
And if you use spdadd, ie by invoking setkey -f on a ipse.conf file, the
file might look like this :
===
flush ;
spdflush ; # to clear old rules, like Timo said.
spdadd 128.135.12.230 128.135.19.61 any -P in ipsec
esp/transport/128.135.12.230-128.135.19.61/require;
spdadd 128.135.19.61 128.135.12.230 any -P out ipsec
esp/transport/128.135.19.61-128.135.12.230/require;
===
and your racoon.conf might look like this :
===
...
remote IBM {
...
# do not mention generate_policy since they're created by setkey -f
}
sainfo address RH any address IBM any {
...
}
PS : if you use ipsec.conf to create your SPD entries, you might want to
turn your exchange_mode aggressive; to exchange_mode main; to improve you
tunnel security.
Cheers,
--
SOLANKI Jigar
---
|