Freeswan IPSEC 1.94++ & auth=rsasig ??
Zdenek Pizl
z.p na linux-cd.cz
Čtvrtek Únor 7 16:44:41 CET 2002
DD vsem,
mam malou, lec zaludnou otazku :
Popis nastaveni:
- mejme FreeSWAN ve verzi vyssi nez 1.94
(pravdepodobne je to jedno, ale takovy snapshot mam).
- vygenerujme par klicu (soukromy a verejny) pomoci prikazu
ipsec rsasigkey 2048 > /etc/ipsec.secrets. Soucasti je zaremovany
pubkey a funckcni private key.
- nasledne nastavme v /etc/ipsec.conf nasledujici pravidla pro prvni stroj :
--------------------------------------------------------------------------------------------------
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=all
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
# A VPN connection
conn secure0
# Left security gateway, subnet behind it, next hop toward right.
type=tunnel
left=10.0.0.130
leftsubnet=
leftnexthop=%direct
# Right security gateway, subnet behind it, next hop toward left.
right=10.0.0.1
rightsubnet=
rightnexthop=%direct
authby=rsasig
auto=route
leftrsasigkey=0sAQPCPlDZdVHXGbU7bQuhY...
rightrsasigkey=0sAQNEDp4NjEUC5cXRQoTb...
---------------------------------------------------------------------------------------------------
- a take na stroji na druhem konci
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0 ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn secure0
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.130
leftsubnet=
leftnexthop=%direct
# Right security gateway, subnet behind it, next hop toward left.
right=10.0.0.1
rightsubnet=
rightnexthop=%direct
authby=rsasig
auto=route
leftrsasigkey=0sAQPCPlDZdVHXGbU7bQuhYkUZwS....
rightrsasigkey=0sAQNEDp4NjEUC5cXRQoTbXbPPvf....
------------------------------------------------------------------------------------------------------
Problem: ani si na sebe nepingnou. Predesilam, ze s shared-secret-key to funguje, lec
neni to zpusob, ktery bych preferoval. Proste tam chci RSA klic ...
Vypis logu:
-> RSA Sig check failure SIG length does not match public key
-> Signature check (on 10.0.0.1) failed (wrong key?)
-> decrypted SIG payload into malformed ECB
tak nejak chapu, co mi rika, ale netusim co s tim :(( Mate nekdo nejakou vizi ??
Mam za to, ze left je porad ten samy, at je na jednom nebo na druhym stroji a tedy
neni potreba prehazovat ani klice v jednom ci druhem konfigu ....
diky,
Z.P.
Další informace o konferenci Linux