headers
Bradley Peterson | 24 May 22:55
Picon

Should racoon select remote conf based on client's certificate?

Hello,

I am configuring racoon from ipsec-tools 0.8.0 for two anonymous
remote confs.  The only difference between the rmconfs is the server
certificate and CA.  The clients are connecting in Main Mode, using
Xauth.

This works fine when the client is the Cisco VPN Client on Windows.
But when the client is an iPhone, I'm not seeing a valid certificate
request, so racoon is not choosing a rmconf.  By the time the client
would send a CR, we've already sent our CR's, and the client is
sending its certificates.

It seems like it is seeing a CR payload, but no valid CR.  But that
packet is encrypted, so I haven't been able to get a good packet dump.

So, would it make sense to also select a rmconf based on the issuer of
the client's certificate (along with any certificate requests)?  Has
any work been done for that?

Thanks,
Bradley Peterson

----
For reference here is a snippet of the logs:

May 23 10:14:07 vpndev1 racoon: DEBUG: CR received:
May 23 10:14:07 vpndev1 racoon: DEBUG:  04
May 23 10:14:07 vpndev1 racoon: [<snip>] DEBUG: getrmconf_by_ph1:
remote <snip>, identity <snip>
(Continue reading)

Permalink | Reply | 0 comments |
headers
isshed | 17 May 18:42
Picon

NULL Encryption support

Hi All,
 
I have made one application which works on IPsec on transport mode with 3des/NULL encryption. when I run it with NULL encryption it SA does not estiblish. Then I tried adding manually using setkey command. But i was not successful. I guess my linux kernel is not supporting NULL encryption. can anyone let me know how to debug it? please let me know if anymore info required.
 
Thanks,
Harendra
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 1 comment |
headers
Bing Li | 15 May 18:46
Picon

(no subject)

Hi everyone,

I tried to compiled the source code of ipsec-tool-0.7.2.
When I compiled in FC 14, everything is OK (./configure, make, make
install). I have installed it in FC 14 . However, When I tried to
compiled it in ubuntu 10.04, I suffered from much difficulty.

First, I tried to configure with the option
"enable-security-context=yes". The error is as follows:

configure: error: Security Context requested, but no selinux support! Aborting

Then I tried to configure with the option
"enable-security-context=yes". Although the configure is OK, the error
still happened when I tried to make. It always said some functions in
openssl is undefined. I checked the openssl version in my computer,
and updated it. But the error did not disappear.

Is there anyone who has install ipsec-tool in ubuntu to share the
success experience.

Best Regards,
Bing

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 0 comments |
headers
Stefan Bauer | 2 May 11:24
Picon

Please clarify - ipsec-tunnel to one endpoint with more SAs

Dear Developers,

we had a single site2site tunnel to one customer with main mode - static ips - psk.
Now we tried to add another tunnel to the same customer - different network. If we set the second tunnel up,
the first is terminated. Is it possible that we can only use aggressive mode when we have more than one
tunnel to the same customer (single public ip)

thank you in advance

Stefan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 2 comments |
headers
aram baghomian | 2 May 00:17
Picon
Favicon

add keywords to racoon config file's parser routine



Hi,

I added new encryption algorithm to racoon source code and compile it successfully
but i don't know how to add the name of this new algorithm to config file parser
routine? i added the name of this algorithm to the cftoken.l same as other keywords
but it does not work and i get some syntax error on the name of my algorithm in the
config file when i run racoon.

Please give me some advise for adding new keywords.

thanks.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 2 comments |
headers
derekbellino | 26 Apr 14:19
Picon

Linux 2.4.6 Kernel

Hello,
Will the latest Ipsec-tools compile and run under a Linux 2.4.6 kernel.
Thank you,
Derek Bellino
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply | 0 comments |
headers
divya mohan | 18 Apr 10:54
Picon

no established ph1 handler found

Hi,

I am having issues in establishing a vpn tunnel, from racoon logs, I
see the messgae "no established ph1 handler found" and "phase2
negotiation failed due to time up waiting for phase1."

Could someone give some directions, on how to start debugging on this issue.

------------------------------------------------------------------------------------------------------------------------------------------
2012-04-18 11:13:48: VRFID: 2 DEBUG: agreed on pre-shared key auth.
2012-04-18 11:13:48: VRFID: 2 DEBUG: ===
2012-04-18 11:13:48: VRFID: 2 DEBUG: new cookie:
fa8a7591e59a2e81
2012-04-18 11:13:48:  DEBUG: add payload of len 52, next type 13
2012-04-18 11:13:48:  DEBUG: add payload of len 16, next type 0
2012-04-18 11:13:48:  DEBUG: 104 bytes from 2015::5010:2[500] to
2015::5010:1[500]
2012-04-18 11:13:48:  DEBUG: sockname 2015::5010:2[500]
2012-04-18 11:13:48:  DEBUG: send packet from 2015::5010:2[500]
2012-04-18 11:13:48:  DEBUG: send packet to 2015::5010:1[500]
2012-04-18 11:13:48:  DEBUG: src6 2015::5010:2[500] 0
2012-04-18 11:13:48:  DEBUG: dst6 2015::5010:1[500] 0
2012-04-18 11:13:48:  DEBUG: 1 times of 104 bytes message will be sent
to 2015::5010:1[500]
2012-04-18 11:13:48:  DEBUG:
363e1438 6d1510e8 fa8a7591 e59a2e81 01100200 00000000 00000068 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c07d0
80010007 800e0080 80030001 80020001 80040001 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2012-04-18 11:13:48:  DEBUG: resend phase1 packet
363e14386d1510e8:fa8a7591e59a2e81
2012-04-18 11:13:48:  DEBUG2: CHKPH1THERE: extract_port.
2012-04-18 11:13:48:  DEBUG2: CHKPH1THERE: found a ph1 wop.
2012-04-18 11:13:48:  DEBUG2: CHKPH1THERE: no established ph1 handler found
------------------------------------------------------------------------------------------------------------------------------------------

Regards,
Divya

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
Permalink | Reply | 0 comments |
headers
Frank Renwick | 17 Apr 02:39
Favicon

notes on ToS Byte inheritance

Brian/Ian,
 
I learned a few things today that I'll forget by tomorrow I'm sure:
 
1. DMVPN tunnels, when the use IPSec, use IPSec transport mode.  Transport mode simply takes the IP Header of the original packet and uses that for the IP Header of the IPSec tunnel.  As such, ToS byte inheritance happens by default here.  I verified this using a DMVPN tunnel between Cisco hub and DDU spoke.
 
2. Cisco default behavior for GRE tunnels is to take the ToS byte from the payload and use that value in the ToS byte of the GRE IP Header.
 
3. The pt-to-pt IPSec offering of the DDU, using IPSec tunnel mode, has the default behavior of copying the ToS byte from the data being placed into the tunnel.
 
No quiz on this tomorrow.
 
frank
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
Permalink | Reply | 1 comment |
headers
Eivind Naess | 15 Apr 23:23
Picon
Favicon

Crash in racoon

Hi Developers,

I caught a crash in racoon, and the following backtrace shows a problem isakmp_info_recv_d. I have proposed a fix for this at the end of this email. The version I am working on is a cehckout from March 16, 2012 of ipsec-tools-0.8.0.

#0  0x0000000000423c53 in isakmp_info_recv_d (iph1=0x2681440, delete=0x2679cac, msgid=4007099779, encrypted=0) at isakmp_inf.c:495
#1  0x000000000042357e in isakmp_info_recv (iph1=0x2681440, msg0=0x2680270) at isakmp_inf.c:299
#2  0x0000000000407e27 in isakmp_main (msg=0x2680270, remote=0x7fffae983550, local=0x7fffae9834d0) at isakmp.c:652
#3  0x00000000004073c1 in isakmp_handler (ctx=0x0, so_isakmp=8) at isakmp.c:377
#4  0x0000000000406603 in session () at session.c:325
#5  0x0000000000405b9b in main (ac=1, av=0x7fffae9847e8) at main.c:345

Scenario:
Racoon acts as a responder to and have received first phase 1 request and sent a response to this. The initiator now sends a ISAKMP request back to the server with a payload to delete the current SA. This request is unencrypted and racoon exposes a configuration option (weak_phase1_check on|off) to control if the real SA kept by racoon should be removed.

The code in context from isakmp_inf.c:495
495             if(!iph1->rmconf->weak_phase1_check && !encrypted) {
496                     plog(LLV_WARNING, LOCATION, iph1->remote,
497                             "Ignoring unencrypted delete payload "
498                             "(check the weak_phase1_check option)\n");
499                     return 0;

The iph1->rmconf is NULL and causes racoon to crash during initial phase1 exchange. The current status of the iph1 at the time of the incident looks like:

side:           1 RESPONDER
status:        3 PH1 MESSAGE SENT     (We have received the first PH1 msg)
etype:         2 Identity Protection
rmconf:       NULL
Retry:         2
NAT-T FL:    0x29
Vendor-ID:  131208
Encapsulation: UDP_ENCAP_ESPINUDP

Message Received: 12, Length 28
ISAKMP DELETE PAYLOAD

It looks to me that the rmconf is used before it is assigned. A simple NULL pointer check should suffice for this problem. However, in this particular case the NULL pointer check will cause it not to delete the specified SA which still seems to be active rendering the weak_phase1_check property useless.

Proposed Fix:
        // Eivind: Check if rmconf is NULL before dereferencing it.
        if(!(iph1->rmconf && iph1->rmconf->weak_phase1_check) && !encrypted) {
                plog(LLV_WARNING, LOCATION, iph1->remote,
                        "Ignoring unencrypted delete payload "
                        "(check the weak_phase1_check option)\n");
                return 0;
        }


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply | 1 comment |
headers
Stephen Clark | 12 Apr 20:04
Picon
Favicon

seg fault using -l switch

In trying to use ipsec-tools-0.8.0 for opennhrp I found that
using the -l switch cause a seg fault. Is this known and if so is there
a patch?

[root <at> Z703072 ipsec-tools-0.8.0]# gdb /usr/sbin/racoon
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/racoon...Reading symbols from 
/usr/lib/debug/usr/sbin/racoon.debug...done.
done.
(gdb) b main
Breakpoint 1 at 0x6008: file main.c, line 270.
(gdb) r -l /var/log/racoon.log -f /etc/racoon/racoon.conf
Starting program: /usr/sbin/racoon -l /var/log/racoon.log -f 
/etc/racoon/racoon.conf
[Thread debugging using libthread_db enabled]

Breakpoint 1, main (ac=5, av=0xbffff764) at main.c:270
270     {
Missing separate debuginfos, use: debuginfo-install 
audit-libs-2.1.3-3.el6.i686 glibc-2.12-1.7.el6_0.3.i686 
keyutils-libs-1.4-1.el6.i686 krb5-libs-1.8.2-3.el6_0.6.i686 
libcom_err-1.41.12-3.el6.i686 libselinux-2.0.94-2.el6.i686 
nss-softokn-freebl-3.12.8-1.el6_0.i686 openssl-1.0.0-4.el6_0.2.i686 
pam-1.1.1-4.el6_0.1.i686 zlib-1.2.3-25.el6.i686
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
log_vaprint (p=0x0, fmt=0x1bc6e0 "2012-04-12 13:44:27: ERROR: racoon: 
MLS support is not enabled.\n",
     ap=0xbffff650 "\270\366\377\277") at logger.c:165
165             if (p->fname == NULL)
(gdb) quit
A debugging session is active.

         Inferior 1 [process 1321] will be killed.

Quit anyway? (y or n) y

--

-- 

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply | 2 comments |
headers
Kees-Jan Hermans | 12 Apr 15:19
Favicon

Address ranges instead of addresses (group keys)

Hi.

In the course of yesterday I went from simply studying 'man setkey' to
rummaging through kernel sources that deal with the implementation of
ipsec (unfortunately they weren't easy to find, given that the term
'ipsec' seemingly has been avoided at all cost for some reason).

Here's what I would like to do: set a security association for a
network, instead of between two hosts, with one line of configuration
(using a 'slash' bitmask identifier, for example) and one sadb entry.
>From the way things are implemented now with getaddrinfo() and related
structures, it looks like my idea isn't possible at the moment.

Why do I want to do this? To implement groupkeys. More elaborately:
multicast, asynchronous key updates over potentially unstable and
low-bandwidth (mobile) networks, etc. Anyway, I have my reasons, and I
think I can say that they are valid.

>From what I gather, it should be possible to do this, using:
- a change in the parsing logic of 'setkey' to include the 'slashy'
notation.
- a change from struct addrinfo to something that encapsulates networks
instead, with an address and a mask address.
- this change must then also be taken into the kernel, where the xfrm_*
code must be changed (I think most prominently, xfrm_addr_cmp, right ?)
to reflect the selection of this structure based on packet info.
- I am not sure (haven't looked any further) whether a state, linked to
a SA, is possible to have between multiple hosts (IV's? Replay
counters?).

So, what do you think? Is it possible/desirable? Is this the right place
to put it forward?

Sincerely,

KJ Hermans, Fox IT
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
Permalink | Reply | 0 comments |

Gmane