Freeswan IPSEC 1.94++ & auth=rsasig ??

Zdenek Pizl z.p na linux-cd.cz
Čtvrtek Únor 7 16:44:41 CET 2002


DD vsem,

 mam malou, lec zaludnou otazku :

Popis nastaveni:

- mejme FreeSWAN ve verzi vyssi nez 1.94 
(pravdepodobne je to jedno, ale takovy snapshot mam).

- vygenerujme par klicu (soukromy a verejny) pomoci prikazu
 ipsec rsasigkey 2048 > /etc/ipsec.secrets. Soucasti je zaremovany
pubkey a funckcni private key.

- nasledne nastavme v /etc/ipsec.conf nasledujici pravidla pro prvni stroj :
--------------------------------------------------------------------------------------------------
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        #interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=all
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes



# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dns
        rightrsasigkey=%dns

# A VPN connection
conn secure0
        # Left security gateway, subnet behind it, next hop toward right.
        type=tunnel
        left=10.0.0.130
        leftsubnet=
        leftnexthop=%direct

        # Right security gateway, subnet behind it, next hop toward left.
        right=10.0.0.1
        rightsubnet=
        rightnexthop=%direct

        authby=rsasig
        auto=route

        leftrsasigkey=0sAQPCPlDZdVHXGbU7bQuhY...        
        rightrsasigkey=0sAQNEDp4NjEUC5cXRQoTb...
---------------------------------------------------------------------------------------------------
- a take na stroji na druhem konci

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth0 ipsec1=eth1"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn secure0
        # Left security gateway, subnet behind it, next hop toward right.
        left=10.0.0.130
        leftsubnet=
        leftnexthop=%direct

        # Right security gateway, subnet behind it, next hop toward left.
        right=10.0.0.1
        rightsubnet=
        rightnexthop=%direct

        authby=rsasig
        auto=route

        leftrsasigkey=0sAQPCPlDZdVHXGbU7bQuhYkUZwS....
        rightrsasigkey=0sAQNEDp4NjEUC5cXRQoTbXbPPvf....
------------------------------------------------------------------------------------------------------

Problem: ani si na sebe nepingnou. Predesilam, ze s shared-secret-key to funguje, lec 
neni to zpusob, ktery bych preferoval. Proste tam chci RSA klic ...

Vypis logu:

-> RSA Sig check failure SIG length does not match public key
-> Signature check (on 10.0.0.1) failed (wrong key?)
-> decrypted SIG payload into malformed ECB

 tak nejak chapu, co mi rika, ale netusim co s tim :(( Mate nekdo nejakou vizi ?? 
Mam za to, ze left je porad ten samy, at je na jednom nebo na druhym stroji a tedy 
neni potreba prehazovat ani klice v jednom ci druhem konfigu ....

					diky,
						Z.P.



Další informace o konferenci Linux