[prev in list] [next in list] [prev in thread] [next in thread]
List: openikev2-users
Subject: [openikev2-users] Bind error problem and some questions
From: alejandro_perez () dif ! um ! es (Alejandro Perez Mendez)
Date: 2005-12-30 21:48:23
Message-ID: 1135976119.31778.15.camel () localhost ! localdomain
[Download RAW message or body]
El vie, 30--2005 a las 15:24 +0200, V?is?nen Teemu escribi?:
> Hi.
>
Hi
> 2005/12/23, Alejandro Perez Mendez <alejandro_perez@dif.um.es>:
> > El vie, 23--2005 a las 11:04 +0200, V?is?nen Teemu escribi?:
> > > > You can use any file as PSK (JPG, AVI, txt, zip, ...) The PSK file is
> > > > read in binary mode.
> > > > i.e. if "key.txt" contains only the text "Hello" without any
> > > > end-of-line, then the PSK will be (in hexadecimal) = [48:65:6C:6C:6F]
> > > > but if you use a PNG file, then the PSK will be (in example)=
> > > > [89:50:4E:47:0D:0A:1A:0A:00:00:00:0D:49:48:44:52:00:00......]
> > > >
> > > > So you should have one file for each PSK you want to use.
> > >
> > > Sorry, I don't understand. In openikev2.conf there is preshared_key = "..."
> > > What key it excatly is? Does both end nodes have that same file?
> >
> > The key are the bytes contained in the file.
> >
> > Yes, they have the same file in both nodes.
>
> I copied some jpg files to key.txt and anonymous.txt be used as keys
> in both nodes. Keys are same in both nodes.
Correct
> > > I'm testing first with two computers and IPsec transport mode, A and
> > > B: A <----> B
> > > A's IPv6 address is 3ffe::1/64 and B's is 3ffe::4/64.
>
> > The documentation section says:
> > << Remember to allow IKEv2 traffic (UDP 500) as the first IPSEC
> > policy and, if you want to use IPv6, also allow ICMPv6 traffic
> > (at least neighbour discovery). In other way IKEv2 messages
> > cannot arrive to peer. >>
> >
> > So in the setkey file you must have (when using IPv6):
> > flush;
> > spdflush;
> > spdadd 0::0/0[500] 0::0/0 udp -P out none;
> > spdadd 0::0/0[500] 0::0/0 udp -P fwd none;
> > spdadd 0::0/0[500] 0::0/0 udp -P in none;
> > spdadd 0::0/0 0::0/0 ipv6-icmp -P out none;
> > spdadd 0::0/0 0::0/0 ipv6-icmp -P fwd none;
> > spdadd 0::0/0 0::0/0 ipv6-icmp -P in none;
> >
> > spdadd 3ffe::1 3ffe::4 any -P out ipsec esp/transport//require;
> > spdadd 3ffe::4 3ffe::1 any -P fwd ipsec esp/transport//require;
> > spdadd 3ffe::4 3ffe::1 any -P in ipsec esp/transport//require;
> >
> > The "fwd" policies, when using the later versi?ns of setkey, are
> > automatically generated, but in the first versions they aren't.
>
> I made changes and as you told, those fwd policies arent't needed and
> setkey just says that they already exist.
>
> > > I tried to ping from A to B and B to A but they can't be reached when
> > > policies are created and openIKEv2 is running.
> > >
> > > Should I change 3ffe::1/64 to 3ffe::1/128 etc. because in openIKEv2
> > > outputs have those 128s?
> >
> > OpenIKEv2 output have 128 because the policies in SPD have 128. You
> > should have the following if you want /64 selectors in policies:
> > ...
> > spdadd 3ffe::/64 3ffe::/64 any -P in ipsec
> > esp/transport//require;
> > ...
> > But in your case, this is not needed and /128 is IMHO the best option.
>
> I changed addresses length to 128, but it seems to work similarly with 64s.
>
> Policies are created and openIKEv2 is running. When first time trying
> to ping key exchange (IKE_SA_INITs and IKE_AUTHs) are done and network
> is unreachable but after that ping goes fine.
> Problem is that messages are not protected with IPsec. What could be
> reason for that?
The policies
spdadd 0::0/0 0::0/0 ipv6-icmp -P out none;
spdadd 0::0/0 0::0/0 ipv6-icmp -P fwd none;
spdadd 0::0/0 0::0/0 ipv6-icmp -P in none;
make that all ICMPv6 traffic will not be processed by IPSEC, so ping6
are not protected. Try making a "telnet 80"(in example) and that traffic
should be protected.
If you want to protect ping6 traffic also, you must to tune up the above
policies to allow only the "neighbour-discovery" ICMPv6 messages, not
all the ICMPv6 traffic.
> Happy New Year to all!
Thanks. Happy New Year !!!
> -Teemu V?is?nen
--
OpenIKEv2 team
_______________________________________________
> openikev2-users mailing list
> openikev2-users@dif.um.es
> https://correo.dif.um.es/cgi-bin/mailman/listinfo/openikev2-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic