[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

trying to set up SSH sentinel client

To: <misc@openbsd.org>
Subject: trying to set up SSH sentinel client
From: "OpenBSD-lists" <openbsd-lists@encipher.net>
Date: Sat, 1 Jun 2002 22:20:47 -0400

Hello,

I'm having some difficulties setting up a remote vpn client using ssh
sentinel.  Looking at the traffic I see the remote host contacting my fw and I
see only one response from the fw to the remote host.  The remote host is
NATT'd behind a Linksys router, and I have enabled IPsec to pass through. I
set the vpn client to use the same passphrase as in both the isakmpd.policy
and isakmpd.conf.  Also, I ran isakmpd as isakmpd -d -DA=99 to look for any
errors, however I did not see any errors.  Any help would be greatly
appreciated.  Here are my isakmpd.conf and .policy:


#isakmpd.policy

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg == "aes" &&
            esp_auth_alg == "hmac-sha" -> "true";


#isakmpd.conf


[General]
Policy-File=    /etc/isakmpd/isakmpd.policy
Listen-on=      68.60.230.69

[Phase 1]
Default=                ISAKMP-clients

[Phase 2]
Passive-Connections=    IPsec-clients


# Phase 1 peer sections
#######################

[ISAKMP-clients]
Phase=                  1
Transport=              udp
Configuration=          main-mode
Authentication=         mekmitasdigoat
#ID=                     my-ID

#[my-ID]
#ID-type=                FQDN
#Name=                   mrtg.cellnetwork.com

# Phase 2 sections
##################

[IPsec-clients]
Phase=                  2
Configuration=          quick-mode
Local-ID=               default-route
Remote-ID=              dummy-remote

[default-route]
ID-type=        IPV4_ADDR_SUBNET
Network=        172.16.16.0
Netmask=        255.255.255.0

[dummy-remote]
ID-type=        IPV4_ADDR
Address=        0.0.0.0

#[x509-certificates]
#CA-directory=  /etc/isakmpd/ca/
#Cert-directory=        /etc/isakmpd/certs/
#Private-key=   /etc/isakmpd/private/local.key

# Transform descriptions
########################
#
# For Main Mode:
#   {DES,BLF,3DES,CAST}-{MD5,SHA}[-{DSS,RSA_SIG}]
#
# For Quick Mode:
#   QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS]-SUITE

# Main -and quick mode transforms

[main-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     BLF-SHA-RSA_SIG

[quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-AES-SHA-SUITE


Thanks in advance,

John Hines

Prev by Date: Re: Any problem with having 100,000 files
Next by Date: Re: a good mail server
Prev by thread: Re: rp-pppoe compile problems
Next by thread: Re: not GENERIC dmesg
Index(es):
- Date
- Thread