Dial-up VPN

Patrick Ethier patrick at SECUREOPS.COM
Tue Dec 28 10:43:04 EST 1999


Hi Mohammed,


 Here's what I did:

1 - Added a HOST to PGPNet
 with the wizard, select "Host", "Enforce Security" , "Use shared key then
fall back to certificate" , type mekmitasdigoat or whatever you are
using..."

2 - Go into view/options.
	Remove the timestamps

3 - In the advanced section, Create the following proposals

	Shared key/SHA/3DES/1024 for IKE
	AH none ESP SHA,3DES None
	Set PFS to 1024
	
	Make sure this proposal appears at the top of the list.

4 - Click ok, click on the host, click on the connect button at the bottom.

5 - Check your log tab, it should say created for both IKE and IPSec.


By looking at the tcpdump -v -s1500 port 500 output, I saw that the
proposals being given to ISAKMP were wrong. PGPNet was giving CAST or
something like that. Since it didn't match up with any encryption scheme it
wouldn't work. So I resolved the problem by getting rid of all the other
proposals on the PGPNet side. Then I noticed that it was only sending 3
proposals, all identical but it still wasn't geting through Phase 1. I
dumped the timestamps(Because they weren't the same on both ends) and it
worked. My guess is Phase 1 connections need to have identical proposals in
order for it to work. Use the TCPDUMP, it's a lot of help.

On the ISAKMP side, all I had to do was add the following

[Phase 1]

default=	VariableDude

[Phase 2]
default=	MyHost-VariableDude

[VariableDude]
[Ragweed]
Phase= 1
Transport= udp
Local-address= MyHostIP
Address= 0.0.0.0
Configuration= Default-main-mode
Authentication= mekmitasdigoat
#Flags=

[MyHost-VariableDude]
Phase= 2
ISAKMP-peer= VariableDude
Configuration= Default-quick-mode
Local-ID= Net-MyNet
Remote-ID= Net-Variable


[Net-Variable]
ID-type=	IPV4_ADDR
Address=	0.0.0.0
netmask=	255.255.255.255


All the IP stuff gets filled in with the incoming Proposal from the remote
host.


Good luck,

Patrick Ethier
patrick at secureops.com

-----Original Message-----
From: Mohammad Rizal Othman [mailto:rizal at mimos.my]
Sent: Monday, December 27, 1999 7:36 PM
To: Patrick Ethier
Cc: 'misc at openbsd.org'; 'vpn at securityfocus.com'
Subject: Re: Dial-up VPN


Patrick Ethier wrote:
>
> Hi Mohammed,
>
>  Are you sure that it doesn't support pre-shared secret??? Did you also
try
> not specifying anything to see if that would work.? Last thing to try is
to
> generate the certificate with PGPNet and then send it to OpenBSD....(If
this
> is supported by PGPNet.)
>

That's what I'm trying to do since I couldn't use their certificate
generator (Net Tools PKI Server) due to ITAR.  You however might be able
to use it.

> The only other thing I can see here is that it is PGPNet that is not
working
> here, the NO_PROPOSAL_CHOSEN is equivalent to BAD USERNAME OR PASSWORD.
>
> So, the x.509 and/or encryption schemes are definately the problem at this
> point,(You are not getting past Phase 1).
>
> IKE stands for Internet Key Exchange, ISAKMP is a variant of this. They
are
> both used in Phase 1 and Phase 2. Phase 1 sets up IPSec tunnel between 2
> gateways, Phase 2 opens that tunnel to the networks behind the gateways,
IKE
> manages the encryption keys for both processes.
>
> I'll have to download PGPNet and try it here. Can you give me the URL?
>

Sure.  http://www.nai.com/asp_set/products/tns/pgp_vpn.asp.  I on the
other hand will try Ashley Laurent's.

> Happy Holidays,
>
> Patrick Ethier
> patrick at secureops.com
>

--
,-----------------------------------------------------------------------.
> Mohammad Rizal Othman    |     If it doesn't work, force it.          <
>    rizal at mimos.my        |  If it breaks, it needed replacing anyway. <
`-----------------------------------------------------------------------'

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list