[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH Sentinel Client help please

I have some questions about the SSH Sentinel client for IPSec to OpenBSD
as a VPN remote access solution.  A few people on this list have had a
lot of success with this, so I was hoping someone might be able to help
me out with a few issues.

1) I'm using the beta (1.3).  Is this the right version to concentrate
on or is the 1.2 release a better client (Client OS are Windows 2000 and
Windows XP)

2) I've configured my server per Rafael Coninck Teigao's post and set up
the client to use a pre-shared secret:

[Phase 1]
Default= ISAKMP-clients

[Phase 2]
Passive-Connections= IPsec-clients

[ISAKMP-clients]
Phase= 1
Configuration= Sentinel-main-mode
Authentication= presharedsecretgoeshere

[IPsec-clients]
Phase= 2
Configuration= Sentinel-quick-mode
Local-ID= Local-net
Remote-ID= Remote-host

[Local-net]
ID-type= IPV4_ADDR_SUBNET
Network= x.y.z.0   <--- address of my private network?
Netmask= 255.255.255.0   <-- netmask of the private net?

[Remote-host]
ID-type= IPV4_ADDR
Address= 0.0.0.0

[Sentinel-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

[Sentinel-quick-mode]
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

The policy file is a cut and paste off Rafael's email.  When I try to
connect I establish an SA, I can ping the inside interface of the
bastion host, but I cannot ping hosts on the network etc.

There is an option for virtual IP address, when I tweak with those
settings I get an error about an INVALID_COOKIE.  Searching for that
error string through all the usual sources lead to some discussion about
upgrading to current.  I was on a stable branch from last week, but I
upgraded to current and still get this issue.

3) Has anyone implemented this with certificates yet?