[ Home | Liste | F.A.Q. | Risorse | Cerca... ]


[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]


Archivio: openbsd@sikurezza.org
Soggetto: [openbsd] IPSec multicast
Mittente: m.dizenzo@xxxxxxxxx
Data: Wed, 18 May 2005 14:37:52 +0200 (CEST)
Ciao a tutti,
conosco il freebsd da due mesi e sto cercando di utilizzare un demone tipo isakmpd per il trasferimento sicuro di dati multicast (gdoid).
Il file di configurazione del peer che distribuisce le chiavi  il seguente:

[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 10.0.0.2

# Incoming phase 1 negotiations are multiplexed on the source IP address

[Phase 1]
10.0.0.1= GDOI-group-member-1


# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.

[Phase 2]
Passive-Connections= Group-1234

[GDOI-group-member-1]
Phase= 1
Transport= udp
Local-address= 10.0.0.2
Address= 10.0.0.1
Configuration= Default-main-mode
Authentication= mekmitasdigoat

[Group-1234]
Phase= 2
ISAKMP-peer= GDOI-group-member-1
Configuration= Default-group-mode
Group-ID= Group-1

[Group-1]
ID-type= KEY_ID
Key-value= 1234

# Main mode descriptions

[Default-main-mode]
DOI= GROUP
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

# Main mode transforms
######################

# DES

[DES-MD5]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS

[DES-MD5-NO-VOL-LIFE]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS

[DES-SHA]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_768
Life= LIFE_600_SECS

# 3DES

[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS

# Lifetimes

[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720

[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200

[LIFE_1000_KB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 1000,768:1536

[LIFE_32_MB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 32768,16384:65536

[LIFE_4.5_GB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 4608000,4096000:8192000

# Quick Mode description
########################

# 3DES

[QM-ESP-3DES-SHA-XF-BEW]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
Life= LIFE_600_SECS

# Group mode description
########################

[Default-group-mode]
DOI= GROUP
EXCHANGE_TYPE= PULL_MODE
SA-KEK= GROUP2-KEK
SA-TEKS= GROUP1-TEK1,GROUP1-TEK2

[GROUP2-KEK]
Src-ID= Group-kek-src
Dst-ID= Group-kek-dst
SPI= abcdefgh01234567
ENCRYPTION_ALGORITHM= 3DES
SIG_HASH_ALGORITHM= SHA
SIG_ALGORITHM= RSA
DES_IV= IVIVIVIV
DES_KEY1= ABCDEFGH
DES_KEY2= IJKLMNOP
DES_KEY3= QRSTUVWX
RSA-Keypair= /usr/local/gdoid/rsakeys.der
REKEY_PERIOD= 30

[Group-kek-src]
ID-type= IPV4_ADDR
Address= 10.0.0.2
Port= 2400

[Group-kek-dst]
ID-type= IPV4_ADDR
Address= 239.11.1.1
Port= 848

# Src-ID and Dst-ID are the addresses for the IP ESP packet.
[GROUP1-TEK1]
Crypto-protocol= PROTO_IPSEC_ESP
Src-ID= Group-tek1-src
Dst-ID= Group-tek1-dst
# SPI is 0x1122aabb
SPI= 287484603
TEK_Suite= QM-ESP-3DES-SHA-SUITE-BEW
DES_KEY1= ABCDEFGH
DES_KEY2= IJKLMNOP
DES_KEY3= QRSTUVWX
SHA_KEY= 12345678901234567890

[Group-tek1-src]
ID-type= IPV4_ADDR
Address= 172.19.193.42
Port= 1024

[Group-tek1-dst]
ID-type= IPV4_ADDR
Address= 239.192.1.1
Port= 1024

# Src-ID and Dst-ID are the addresses for the IP ESP packet.
[GROUP1-TEK2]
Src-ID= Group-tek2-src
Dst-ID= Group-tek2-dst
# SPI is 0x3344ccdd
SPI= 860146909
TEK_Suite= QM-ESP-3DES-SHA-SUITE-BEW
DES_KEY1= FEDCBA11
DES_KEY2= LKJIHG22
DES_KEY3= RQPONM33
SHA_KEY= 01234567890123456789

[Group-tek2-src]
ID-type= IPV4_ADDR
Address= 172.19.137.42
Port= 512

[Group-tek2-dst]
ID-type= IPV4_ADDR
Address= 239.192.1.2
Port= 512

[QM-ESP-3DES-SHA-SUITE-BEW]
Protocols= QM-ESP-3DES-SHA

[QM-ESP-3DES-SHA-BEW]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-XF-BEW

# Certificates stored in PEM format
[X509-certificates]
CA-directory= /etc/gdoid/ca/
Cert-directory= /etc/gdoid/certs/
#Accept-self-signed= defined
Private-key= /etc/gdoid/private/local.key



Quando faccio partire il demone ottengo questo errore:

121751.190274 Misc 60 conf_get_str: [General]:Listen-on->10.0.0.2
121751.190325 Misc 60 conf_get_str: [General]:Listen-on->10.0.0.2
121751.190390 Default sysdep_cleartext: setsockopt (4, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed: Invalid argument
121751.190428 Trpt 70 transport_add: adding 0x8089480
121751.190445 Trpt 90 transport_reference: transport 0x8089480 now has 1 references
121751.192569 Misc 60 conf_get_str: [General]:Listen-on->10.0.0.2
121751.192606 Default sysdep_cleartext: setsockopt (5, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed: Invalid argument

Avete idea di che cosa si tratta?
Grazie
Monica




____________________________________________________________
6X velocizzare la tua navigazione a 56k? 6X Web Accelerator di Libero!
Scaricalo su INTERNET GRATIS 6X http://www.libero.it






[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005