<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Ok.... I've applied your suggested changes except for the rightsubnets
- pluto keeps complaining that "vhost:%no,%private" is not a valid
subnet declaration.<br>
<br>
I'll have a look to see if XAUTHPAM is enabled in my build - else I'll
just rebuild it.<br>
<br>
Sadly, I've been unable to disable IPv6 on this box - could that be the
source of the grief? Also - our certificate has an intermediate CA
that needs to be shared (it had to be imported into the CISCO VPN
client) - would I need to provide reference to it for pluto?<br>
<br>
In racoon I had to run a process to produce a short, 4 byte value which
would then (in hex form) be used as the CA's file name(s ... there are
two in the chain), and store them in a specific place. How would that
work for pluto?<br>
<br>
Cheers.<br>
<br>
Paul Wouters wrote:
<blockquote
cite="mid:alpine.LFD.1.10.0908091702300.18844@newtla.xelerance.com"
type="cite">On Sun, 9 Aug 2009, Diego Rivera wrote:
<br>
<br>
<blockquote type="cite">Yes - I knew what XAUTH was I just wasn't
sure if PAM would automatically
<br>
be used as the authentication means or how to specify that it would be
<br>
used. The reason I ask is because I also see that it's possible to
<br>
create an htpasswd-type file with usernames and passwords in it - but
no
<br>
documentation on how to specify which of the two methods to use (or if
<br>
they can be combined in the same deployment, for instance, for two
<br>
different endpoints).
<br>
</blockquote>
<br>
You cannot combine the two. either PAM is used or the htpasswd file is
<br>
used. It only depends on the setting of USE_XAUTHPAM
<br>
<br>
<blockquote type="cite">Interesting that you should mention the X.509
certificates - we used
<br>
exactly that with Racoon, and no group secret (or rather, the group
<br>
secret was ignored). I've drafted a tunnel configuration for this but
I
<br>
can't seem to get it to come up - keeps complaining about "address
family
<br>
inconsistency in this client connection". I'm sure it's just me being
<br>
too dumb again:
<br>
<br>
----- BEGIN XAUTH CONF -----
<br>
conn rbx-ras
<br>
authby=secret
<br>
leftid=%fromcert
<br>
</blockquote>
<br>
That should be authby=rsasig
<br>
<br>
<blockquote type="cite"> leftcert=/etc/openswan/ras.crt
<br>
left=<my-public-ip>
<br>
leftnexthop=%defaultroute
<br>
leftsourceip=<my-private-ip>
<br>
</blockquote>
<br>
leftsourceip= should not be used for roadwarriors, only for
subnet-subnet
<br>
tunnels.
<br>
<br>
<blockquote type="cite">
leftsubnets={<all-the-private-subnets>}
<br>
leftxauthserver=yes
<br>
leftmodecfgserver=yes
<br>
right=%any
<br>
rightnexthop=%defaultroute
<br>
rightid=@RAS
<br>
</blockquote>
<br>
rightid should be left out so multiple id's can connect. It will
<br>
depend on the CA's loaded whether or not the client will be allowed.
<br>
<br>
<blockquote type="cite"> rightxauthclient=yes
<br>
rightmodecfgclient=yes
<br>
</blockquote>
<br>
rightsubnets=vhost:%no,%priv is missing here for NAT'ed clients.
<br>
<br>
<blockquote type="cite"> dpdaction=restart_by_peer
<br>
</blockquote>
<br>
The server should not attempt to restart/rekey for dynamic IP
<br>
roadwarriors.
<br>
<br>
<blockquote type="cite"> dpddelay=30
<br>
dpdtimeout=60
<br>
pfs=yes
<br>
ike=3des-md5-modp1024
<br>
esp=3des-md5-modp1024
<br>
aggrmode=yes
<br>
salifetime=15m
<br>
ikelifetime=1h
<br>
rekeymargin=2m
<br>
rekey=no
<br>
auto=add
<br>
------ END XAUTH CONF ------
<br>
</blockquote>
<br>
<blockquote type="cite">I already have just such rules in place - I'm
just somewhat
<br>
anal-rententive that way :) I like to be able to fully control
<br>
everything I deploy so I don't inadvertently leave something hanging
<br>
where it shouldn't. It's a shame that hasn't been done in such a
mature
<br>
daemon... maybe a configuration such as
<br>
"listenaddress={aaa.bbb.ccc.ddd:500 eee.fff.ggg.hhh:500}" ... ?
<br>
</blockquote>
<br>
It's more complicated. What do you do when new IP addresses appear
<br>
or disappear (and you'd have to distinguish those that by themselves
<br>
come in via a tunnel. If someone writes a patch, we'll accept it after
<br>
testing, but most people use dedicatd machines for IPsec servers, so
<br>
they don't have an issue with listening to ANY.
<br>
<br>
Paul
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
<font size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
</body>
</html>