PGPnet
Patrick Ethier
patrick at SECUREOPS.COM
Mon Jan 3 12:16:54 EST 2000
Probably,
But Jonas says he set everything right in PGPNet. If PFS isn't on, he'll
get INVALID_PAYLOAD_TYPE because the IPSec proposals do not match.
Make sure you have 3DES-SHA for transforms on both IKE and IPSEC in PGPNet
and that PFS is set to 1024.(Make sure also that AH is disabled and the ESP
is enabled).
-----Original Message-----
From: Luke Renn [mailto:lrenn at etci.com]
Sent: Monday, January 03, 2000 12:04 PM
To: Patrick Ethier; 'Jonas Eriksson'
Cc: misc at openbsd.org; vpn at securityfocus.com
Subject: Re: PGPnet
not sure, but i think the DEFAULT_PAYLOAD_TYPE from the original post is due
to not having perfect forward security set to 1024 in PGPnet options.
Just a thought,
Luke
(Could be wrong)
----- Original Message -----
From: Patrick Ethier <patrick at secureops.com>
To: 'Jonas Eriksson' <je at sekure.net>
Cc: <misc at openbsd.org>; <vpn at securityfocus.com>
Sent: Monday, January 03, 2000 12:01 PM
Subject: RE: PGPnet
> Ok,
>
>
> Now add the following to your /etc/isakmpd/isakmpd.conf
>
> [Phase 1]
> Default= PGPNet_Config
>
> [Phase 2]
> Default= PGPNet-OBSD
>
> [PGPNet_Config]
> Phase= 1
> Transport= udp
> Local-address= Your_OBSD_IP_Address
> Address= 0.0.0.0
> Configuration= Default-main-mode
> Authentication= mekmitasdigoat
> #Flags=
>
> [PGPNet-OBSD]
> Phase= 2
> ISAKMP-peer= PGPNet_Config
> Configuration= Default-quick-mode
> Local-ID= Net-YourNet
> Remote-ID= Net-PGPClient
>
> [Net-YourNet]
> ID-type= IPV4_ADDR_SUBNET
> Network= Your_Network_Broadcast_Address
> Netmask= Your_Network_Netmask
>
> [Net-PGPClient]
> ID-type= IPV4_ADDR
> Address= 0.0.0.0
> Netmask= 255.255.255.255
>
>
> This should make the whole thing work. Just fill in the entries with your
> personal IP's and stuff...
>
> Regards,
>
> ____________________
> Patrick Ethier
> patrick at secureops.com
>
> [ It doesn't matter if you don't know where you're going....]
> [ As long as you get there --- DrBones ]
>
>
>
> -----Original Message-----
> From: Jonas Eriksson [mailto:je at sekure.net]
> Sent: Monday, January 03, 2000 11:17 AM
> To: Patrick Ethier
> Subject: RE: PGPnet
>
>
>
> Ok, i've read your mail that you posted earlier on the openbsd
> misc list (how you set up your PGPnet)
>
> So, i have changed all that in PGPnet.
>
> Thanks,
>
> -- Jonas Eriksson
> je at sekure.net
>
> On Mon, 3 Jan 2000, Patrick Ethier wrote:
>
> > Just a wild guess here, but if you got an invalid payload it is because
> your
> > encyption transforms for phase 2 (aka quick mode) are invalid. The
default
> > for PGPNet is CAST-MD5, the default for openbsd is 3DES-SHA.
> >
> > Try changing the IPSEC section of PGPNet to match the quick mode
> transform
> > of OpenBSD.
> >
> >
> > If you look on my VPN website, (www.secureops.com/resources) you'll get
> all
> > the explanation you need to get it working. Simply replace all remote
IP's
> > with 0.0.0.0 and in the [NET-] section use a ID-type= IPV4_ADDR with
> > Address= 0.0.0.0 and Netmask=255.255.255.255
> >
> > That should work.
> >
> > I'll post my isakmpd.conf and isakmpd.policy file for you soon(I just
need
> > to blank out the IP's.)
> >
> > Regards,
> >
> > ____________________
> > Patrick Ethier
> > patrick at secureops.com
> >
> > [ It doesn't matter if you don't know where you're going....]
> > [ As long as you get there --- DrBones ]
> >
> >
> >
> > -----Original Message-----
> > From: Jonas Eriksson [mailto:je at sekure.net]
> > Sent: Saturday, January 01, 2000 11:24 PM
> > To: Patrick Ethier
> > Subject: PGPnet
> >
> >
> >
> > Hi,
> >
> > I noticed on the openbsd maillinglist that you got PGPnet to work
> > with isakmpd.
> >
> > Can you send me your isakmpd.conf and isakmpd.policy?
> >
> > I've got this error while trying to connect:
> >
> > 052005.362795 Default message_parse_payloads: invalid next payload type
> > 116 in payload of type 5
> > 052005.362911 Default dropped message from 193.15.98.52 port 500 due to
> > notification type INVALID_PAYLOAD_TYPE
> >
> >
> >
> > --
> > Regards jonas
> >
>
VPN is sponsored by SecurityFocus.COM
More information about the VPN
mailing list