[Openswan Users] freeswan client and Netscreen

danilov danilov at comstar.ru
Fri Jan 21 16:20:15 CET 2005


Good day.
Help me please.

I am trying to connect my linux box as a client for Netscreen (security gateway) and have a problem.

I think that i am doing something wrong.
The steps for installing freeswan:

1)[root at danilov root]# uname -r
2.4.20-8

2) Get freeswan:
wget ftp://ftp.xs4all.nl/pub/crypto/freeswan/binaries/RedHat-RPMs/`uname -r | tr
-d 'a-wy-z'`/\*
freeswan-userland-2.06_2.4.20_8-0.i386.rpm
freeswan-module-2.06_2.4.20_8-0.i386.rpm

3) I can't get freeswan-rpmsign.asc contents from ftp site
browser says that .../2-4.20-8/freeswan-rpmsign.asc : No such file or directory

4) I got freeswan-allkeys.sign:

[root at danilov root]# cat ./freeswan-allkeys.sig
-----BEGIN PGP MESSAGE-----
Version: 2.6.3ia

iQEVAwUAPlf8WNb67VlG6vzhAQGIvwf+NYTSOtSDTFJYAe/UpWX4WIjiLSMd5TkF
PuO5ZXWMtIIAAPtMRjCjltI7mpCDgcndEvKNiFsbtBMQQG3LL7m2jt/LKLaqDcV9
Z1lvHVCwgonmkVi+vo9tZRJZWsfcKlw4tD/XQAtoEu3bKZOlQEgmHLdC4UJQ9gzD
GG/C56MqEuTcJATGnuFAkeVvPucTZFC1BKPr8nmN1WMFGFIieBl7sJU3HvhgQGTE
e7MBR5Eu9OB+vDPdrcRtFCn+s2I/eIrlAymFQjx/95zmdS4rZYqWeBun3Xax7ZXG
/tykWq7fkrrbj1E7PIsCaYUB/B6Pf/s/mw8YpQJuzT9z8+ssLfNJzQ==
=UKED
-----END PGP MESSAGE-----

and freeswan-sigkey.as:

[root at danilov root]#./freeswan-sigkey.asc
Type Bits/KeyID    Date       User ID
pub  2047/46EAFCE1 2002/03/29 Linux FreeS/WAN Software Team <build at freeswan.org>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQENAzykykMAAAEH/1zM4b0WlfUaGThfURWKh9nzkKRVkoVFJqSfK2Hcc0bHA+ZO
lkRNMhA5oO9HUZdEvOx8HHW8aR8FLsGRchFn/X4y+8l8lUuYfIbGQsUKj21naFY8
YHLQKBGRhThjRG3rzI7WXLjMdUj/m9MioAsrLhOLxPs9EVZUdj2iws//JVr2epuw
RTfw3nAM+L7/kUJ4IjwMj/2kBslowg2DwfH/hItDMlCTpihj7hZUSVEOa+R3+gRS
eupskit+ZoqSRe8VHR8XkY3AuzLGNb4mqnV9H4btNv932o/Ohp2Vw9k8u8UdvALl
Hb0NYcLqRhZGCkvAs5MM7ttCSwds1vrtWUbq/OEABRG0MkxpbnV4IEZyZWVTL1dB
TiBTb2Z0d2FyZSBUZWFtIDxidWlsZEBmcmVlc3dhbi5vcmc+iQCVAwUQPLMQmsFA
uQPManGZAQEUvwQAurKHtkaxuZZNcrIGy2NxLDDyZhiEY7Gkn7o02dfXHE0o1IEY
+HVzDNICEm0cjjRsisUS0aaAGGPXfCE2/jiI0e1sBhoxeklcIxgjvgahhJAPru/M
6mFfO4bwc6cucSWdWGd73bLSBMjHJEXRPxSg0sY08gFEoC8SpzsjG3IKVKCJAJUD
BRA8pM4XiodGDemd1f0BAT8CA/4m4QDZM8OFBGXbkFEHRB1Uf+DLefFx6gYrdjZ5
hy+gu/0s30AW26dU6FUGYvPtBBzwH5G7Ffnp0S09qMfWejiTf6ZwmlYM7a9D8QmV
D6t7Oazj+NvBvOQlsvf8GlHdb1z+96DJozUFdhSCyG4+bQXcho4oRRfQQWj6oh8X
Dnc8OIkAlQMFEDykzMV30qslsMhxPQEBv5IEALlt7IC0q17yesTQzy6SEDa2WTJl
T6j2yV4P7v6AMuH3aDDWGMBkFcZJnNZV0GlRf4MWHy7Gd3MYciuxcmbgDTv58JaO
e2ZCcLuzACGSHTUPnBpWk/91daBWiNt5PilJlrBgpZf6eU398oAHbGwtlisHFgM1
+SVAWLH1Jam7VfbFiQEVAwUQPKTKQ9b67VlG6vzhAQEsSAf+K7DH7JiKyNPaHVNH
fk/IkFvH4nVNtvAMAaSeuliJqDYhUeWrexc9MoHTaFq00HC88j7n1ZPHN1Unm8vg
VcQ/OkqMzmmjAk0nfbEsqjpCCMGD0/df+D1vtnENq0wswdYy1lmlrKtbPG7dcz33
e1swfA2u3ZIZzbW/U3uMYHPShDALmQ0uSRGudtqnCrhiLCv0rKwOA/bgjE11mcGa
UaS8lNmybaDe25Pnv6Sx9+BmnFbE3aBnW7+UoBbwHfkHIoVNTGV56HexURgFnWEt
KmW2tcsAzHNpQPbTUp8zvegjbV41XOnSvcFyrwibYDcJrmVAR9ZoVjidH++BI3lM
Cf0RaA==
=4VL/
-----END PGP PUBLIC KEY BLOCK-----

5) Install from RPMS:
 rpm -ivh freeswan*.rpm
предупреждение: freeswan-module-2.06_2.4.20_8-0.i386.rpm: подпись RSA/MD5 V3:
NOKEY, key ID 5a7e4731
Подготовка...     ########################################### [100%]
        пакет freeswan-module-2.06_2.4.20_8-0 уже установлен
        пакет freeswan-userland-2.06_2.4.20_8-0
6) Start service ipsec:

/sbin/service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.06...
ipsec_setup: Using /lib/modules/2.4.20-8/kernel/net/ipsec/ipsec.o

 /sbin/lsmod
Module                  Size  Used by    Not tainted
ipsec                 269152   3

7) Verify:
/usr/local/sbin/ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux FreeS/WAN 2.06
Checking for IPsec kernel support: found KLIPS                          [OK]
Checking that pluto is running                                          [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: danilov
[MISSING]
Does the machine have at least one non-private address?                 [OK]
Looking for TXT in reverse map: 99.131.210.195.in-addr.arpa.
[MISSING]

I think that everything ok because i can not use OE

8)I uncomment comment in default file /etc/ipsec.conf

this is main part of config:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
        # klipsdebug=all
        # plutodebug=dns


# Add connections here.# sample VPN connection
conn sample
                left=10.0.0.1
                leftsubnet=172.16.0.0/24
                leftnexthop=10.22.33.4     
                right=10.12.12.1
                rightsubnet=192.168.0.0/24
                rightnexthop=10.101.102.103

Where i want to restart ipsec i received a message:
/sbin/service ipsec stop
ipsec_setup: (/etc/ipsec.conf, line 34) parameter is not within a section --
`stop' aborted

Interface ipsec0 up, but i can't change params of ipsec in /etc/ipsec.conf

ipsec0    Link encap:Ethernet  HWaddr 00:11:11:14:49:22
          inet addr:195.210.131.99  Mask:255.255.255.192
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:272 errors:0 dropped:1 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:23608 (23.0 Kb)


I think that syntaxis of my config file wrong
Tell me please what i am doing wrong?
may be field version or something else ?

9) If you have successfully connected client freeswan/openswan
with Netscreen 5GT can you send me right config file for freeswan ?

10) Windows client work properly with Netscreen.
I use aggressive mode and psk and seed.

I know that freeswan do not support 
aggressive mode and i can reconfigure nestcreen for main mode

11) If it is interesting for you i can
give public address of Netscreen device and him config.

Thank you.

-- 
With best regards,
Danilov Dmitry, Moscow, 
Comstar telecommunications,
engineer of dept. mpls networks
tel 9561885 danilov at comstar.ru


More information about the Users mailing list