'[Ipsec-tools-devel] Fwd: Ipsec query on racoon.conf configuration'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    [Ipsec-tools-devel] Fwd: Ipsec query on racoon.conf configuration
From:       Reshma Begam <reshma.begam () gmail ! com>
Date:       2012-06-28 7:51:33
Message-ID: CAPKSq92-Zcz4YM_kyWeBs48gZG6SrtVii30akmmiBbU7bK_ioQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

How should racoon.conf  looks? Does racoon supports having multiple remote
sections inside racoon.conf for the same remote with different proposals?

How racoon will identify which is the correct remote section  from
racoon.conf. for a particular tunnel ?

Following is the racoon.conf  on peer1  for racoon.conf with  psk.txt same
as mentioned by you.
With this configuration i am not able to achieve intended behavior i.e not
able to establish both the tunnels with peer as initiator.

Is this configuration correct ? Could you please clarify what is the
correct configuration

# cat racoon.conf
#!/usr/local/6bin/racoon
# FlexiPlatform Racoon configuration file

# This file is automatically created, DO NOT EDIT THIS!
path pre_shared_key "/root/secret.psk";
path certificate "/etc/ipsec/certs/ipsec.d/";
remote 44.0.0.2
{
        exchange_mode main;
        my_identifier address 44.0.0.1;
        nat_traversal off ;
        script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
        script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
        lifetime time 1200 secs;
        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm aes;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo subnet 33.0.0.0/24 1 subnet 33.0.0.0/24 1
{
        lifetime time 600 secs;
        encryption_algorithm aes;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        encapdscp on;
}

remote 44.0.0.2
{
        exchange_mode main;
        my_identifier address 44.0.0.3;
        nat_traversal off ;
        script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
        script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
        lifetime time 2400 secs;
        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo subnet 55.0.0.0/24 1 subnet 55.0.0.0/24 1
{
        lifetime time 1200 secs;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        encapdscp on;
}

listen {
        adminsock "/etc/ipsec/0/ike1/.racoon_admin";
        isakmp 44.0.0.1 [500];
        isakmp 44.0.0.3 [500];
}




Thanks,
Reshma


On Wed, Jun 27, 2012 at 5:14 PM, Rainer Weikusat <
rweikusat@mobileactivedefense.com> wrote:

> Reshma Begam <reshma.begam@gmail.com> writes:
> >  Could some one please help me in  understanding how should be the
> > racoon.conf and psk.txt configuration for following tunnel scenario.
> >
> >  Scenario: I have couple of  tunnels between 2 peers  each tunnel having
> > their own  peer1 end  point but same peer2 end.
> >
> >             Peer1                                Peer2
> >     A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3)  (Tunnel 1)
> > (PSK:Secret1)              -------------> both these tunnels have their
> own
> > secrets. Secret1 and Secret2.
> >     A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3)  (Tunnel 2)
> > (PSK:Secret2)
> >
> > Does this kind of scenario supported by racoon, what happens  if we
> > initiate traffics from traffic selectors of both tunnels? Will
> negotiations
> > succeed?
> > Please provide if some example configurations exists for these kind of
> > scenarios.
>
> On the 'Peer1' machines, you would have a psk.txt with
>
>        1.1.1.3 Secret1
>
> and
>
>        1.1.1.3 Secret2
>
> On Peer2, this would be
>
>        1.1.1.1 Secret1
>        1.1.1.2 Secret2
>
>


-- 

Regards,
Reshma




-- 

Regards,
Reshma

[Attachment #5 (text/html)]

<div class="gmail_quote">Hi,<br><br>How should racoon.conf  looks? Does racoon \
supports having multiple remote sections inside racoon.conf for the same remote with \
different proposals?  <br><br>How racoon will identify which is the correct remote \
section  from racoon.conf. for a particular tunnel ?<br>

<br>Following is the racoon.conf  on peer1  for racoon.conf with  psk.txt same as \
mentioned by you.  <br>With this configuration i am not able to achieve intended \
behavior i.e not able to establish both the tunnels with peer as initiator.<br>

<br>Is this configuration correct ? Could you please clarify what is the correct \
configuration <br><br># cat racoon.conf<br>#!/usr/local/6bin/racoon<br># \
FlexiPlatform Racoon configuration file<br><br># This file is automatically created, \
DO NOT EDIT THIS!<br>

path pre_shared_key &quot;/root/secret.psk&quot;;<br>path certificate \
&quot;/etc/ipsec/certs/ipsec.d/&quot;;<br>remote 44.0.0.2<br>{<br>        \
exchange_mode main;<br>        my_identifier address 44.0.0.1;<br>        \
nat_traversal off ;<br>

        script &quot;/etc/ipsec/scripts/phase1-up.sh&quot; phase1_up;<br>        \
script &quot;/etc/ipsec/scripts/phase1-down.sh&quot; phase1_down;<br>        lifetime \
time 1200 secs;<br>        # phase 1 proposal (for ISAKMP SA)<br>

        proposal {<br>                encryption_algorithm aes;<br>                \
hash_algorithm md5;<br>                authentication_method pre_shared_key;<br>      \
dh_group 2;<br>        }<br>}<br><br>sainfo subnet <a href="http://33.0.0.0/24" \
target="_blank">33.0.0.0/24</a> 1 subnet <a href="http://33.0.0.0/24" \
target="_blank">33.0.0.0/24</a> 1<br>

{<br>        lifetime time 600 secs;<br>        encryption_algorithm aes;<br>        \
authentication_algorithm hmac_md5;<br>        compression_algorithm deflate;<br>      \
encapdscp on;<br>}<br><br>remote 44.0.0.2<br>{<br>

        exchange_mode main;<br>        my_identifier address 44.0.0.3;<br>        \
nat_traversal off ;<br>        script &quot;/etc/ipsec/scripts/phase1-up.sh&quot; \
phase1_up;<br>        script &quot;/etc/ipsec/scripts/phase1-down.sh&quot; \
phase1_down;<br>

        lifetime time 2400 secs;<br>        # phase 1 proposal (for ISAKMP SA)<br>    \
proposal {<br>                encryption_algorithm 3des;<br>                \
hash_algorithm md5;<br>                authentication_method pre_shared_key;<br>

                dh_group 2;<br>        }<br>}<br><br>sainfo subnet <a \
href="http://55.0.0.0/24" target="_blank">55.0.0.0/24</a> 1 subnet <a \
href="http://55.0.0.0/24" target="_blank">55.0.0.0/24</a> 1<br>{<br>        lifetime \
time 1200 secs;<br>  encryption_algorithm 3des;<br>
        authentication_algorithm hmac_md5;<br>        compression_algorithm \
deflate;<br>        encapdscp on;<br>}<br><br>listen {<br>        adminsock \
&quot;/etc/ipsec/0/ike1/.racoon_admin&quot;;<br>        isakmp 44.0.0.1 [500];<br>

        isakmp 44.0.0.3 [500];<br>}<br><br><br><br><br>Thanks,<br>Reshma<div \
class="HOEnZb"><div class="h5"><br><br><div class="gmail_quote">On Wed, Jun 27, 2012 \
at 5:14 PM, Rainer Weikusat <span dir="ltr">&lt;<a \
href="mailto:rweikusat@mobileactivedefense.com" \
target="_blank">rweikusat@mobileactivedefense.com</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><div>Reshma Begam &lt;<a \
href="mailto:reshma.begam@gmail.com" target="_blank">reshma.begam@gmail.com</a>&gt; \
writes:<br>


&gt;  Could some one please help me in  understanding how should be the<br>
&gt; racoon.conf and psk.txt configuration for following tunnel scenario.<br>
&gt;<br>
&gt;  Scenario: I have couple of  tunnels between 2 peers  each tunnel having<br>
&gt; their own  peer1 end  point but same peer2 end.<br>
&gt;<br>
&gt;             Peer1                                Peer2<br>
&gt;     A1 (1.1.1.1)(PSK:Secret1)&lt;------------&gt; B1(1.1.1.3)  (Tunnel 1)<br>
&gt; (PSK:Secret1)              -------------&gt; both these tunnels have their \
own<br> &gt; secrets. Secret1 and Secret2.<br>
&gt;     A2 (1.1.1.2)(PSK:Secret2)&lt;-------------&gt;B1(1.1.1.3)  (Tunnel 2)<br>
&gt; (PSK:Secret2)<br>
&gt;<br>
&gt; Does this kind of scenario supported by racoon, what happens  if we<br>
&gt; initiate traffics from traffic selectors of both tunnels? Will negotiations<br>
&gt; succeed?<br>
&gt; Please provide if some example configurations exists for these kind of<br>
&gt; scenarios.<br>
<br>
</div></div>On the &#39;Peer1&#39; machines, you would have a psk.txt with<br>
<br>
        1.1.1.3 Secret1<br>
<br>
and<br>
<br>
        1.1.1.3 Secret2<br>
<br>
On Peer2, this would be<br>
<br>
        1.1.1.1 Secret1<br>
        1.1.1.2 Secret2<br>
<br>
</blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font \
color="#888888">-- <br><div> </div> <div>Regards,</div>
<div>Reshma</div><br>
</font></span></div><br><br clear="all"><br>-- <br><div> </div>
<div>Regards,</div>
<div>Reshma</div><br>



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic