RE: ipsec config problem :URGENT HELP NEEDED

From: Wenchel, Kevin B. (Kevin.Wenchel@jhuapl.edu)
Date: 08/20/01 

Message-ID: <B07BB447BEDED411A49D0008C7E691E28A1952@aples3.jhuapl.edu>
From: "Wenchel, Kevin B." <Kevin.Wenchel@jhuapl.edu>
To: 'Sayali Karanjkar' <Sayali.Karanjkar@Sun.COM>, "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Subject: RE: ipsec config problem :URGENT HELP NEEDED
Date: Mon, 20 Aug 2001 15:27:39 -0400

-----Original Message-----
From: Sayali Karanjkar [mailto:Sayali.Karanjkar@Sun.COM]
Sent: Sunday, August 19, 2001 10:55 PM
To: focus-sun@securityfocus.com
Subject: ipsec config problem :URGENT HELP NEEDED

>Hi all,
>
>I need some help for this ipsec tunnel configuration that i am trying to
>implement. this is really urgent and i hope you all will help me out with
this.
>
>I have configured ipsec by using the command 'ipsec' at the command prompt
and
>then the configuration being done at the ipsec command prompt :ipsec>
>so how do i know where the ipseckey file is and how do i check it?
>

There is no file created. The easier way to handle this is to place all the
ipsec
configuration commands into the file /etc/inet/ipseckey. Make sure to place
a flush
command at the top of the file. Then load the database with "ipseckey -f
/etc/inet/ipseckey".
Also, the script /etc/rc2.d/S69inet is written to look for
/etc/inet/ipseckey and will run
'ipseckey -f ' to load the SA database for you at boot time.

>also the configuration needs a tunnel src address and tunnel dest address.
which
>addresses are these? i have two systems which are sparc machines running
the
>solaris 8 core administration package and they are connected via a private
>network. one machine is 10.1.1.1 and the other is 10.1.1.2. so these are
the two
>system addresses right and then which are the tunnel addresses?
>
>i have given the command
>
>on system 1
>
>ipsec> add esp spi 0x2112 src 10.1.1.1 dst 10.1.1.2\
>authalg md5 authkey 123456aa123456bb123456cc123456dd \
>encralg 3des encrkey 789000ee789000ff
>
>on system 2
>
>ipsec> add esp spi 0x2113 src 10.1.1.2 dst 10.1.1.1\
>authalg md5 authkey 654321aa654321bb654321cc654321dd \
>encralg 3des encrkey 000789ee000789ff
>
>and after this the command on system 1 gave no error but the one on system
gives
>error saying that one of the values entered is incorrect. return message in

>doaddup.invalid argument.
>what causes this problem?
>

You usually encounter this error message because a key value has an
incorrect length.
When I use 3des on my system, I cannot enter a key less then 192 bits(48 hex
digits) or I
get the doaddup error.

You should also check to make sure you have the Sun supplemental Encryption
packages installed. Absence
of these packages will also cause this error.
 
# pkginfo | grep "SUNWcry"

If you don't see any results, goto
http://www.sun.com/software/solaris/encryption/download.html
and download the packages.

>after that i tried to configure the secure tunnel..by giving the foll.
commands.
>
>on system 1
>
>#ifconfig ip.tun0 plumb
>#ifconfig ip.tun0 10.1.1.11 10.1.1.22 \
>tsrc 10.1.1.1 tdst 10.1.1.2 encr_algs 3des encr_auth_algs md5
># ifconfig ip.tun0 up
>
>on system 2
>
>#ifconfig ip.tun0 plumb
>#ifconfig ip.tun0 10.1.1.22 10.1.1.11 \
>tsrc 10.1.1.2 tdst 10.1.1.1 encr_algs 3des encr_auth_algs md5
># ifconfig ip.tun0 up
>
>this also gives error on system 2 and no error on system 1.
>what might be the problem?
>

I assume these two machines are both setup to act as routers?
I haven't created a tunnel with Solaris 8 IPSEC before. If you haven't
already, take a look at the following Answer Book IPSEC documentation

http://docs.sun.com:80/ab2/coll.47.11/SYSADV3/@Ab2PageView/22882?Ab2Lang=C&A
b2Enc=iso8859-1

there is a section on building VPNs.

Relevant Pages

  • FreeS/WAN ipsec through NAT
    ... I'm desperately trying to get my Linux laptop with FreeS/WAN on it ... automatically do "the right thing" when it comes to ipsec / freeswan ... a Dinwows-client talking through a NAT firewall to a LInux FreeS/WAN ... that the configuration runs fine when using the laptop ...
    (comp.os.linux.security)
  • RE: ipsec config problem :URGENT HELP NEEDED
    ... Subject: ipsec config problem:URGENT HELP NEEDED ... I need some help for this ipsec tunnel configuration that i am trying to ... also the configuration needs a tunnel src address and tunnel dest address. ...
    (Focus-SUN)
  • VPN Problems on Cisco 800 Series Routers
    ... I have included the IPSEC ... configuration on the Cisco router at the bottom of this post. ... crypto isakmp key 123 address 0.0.0.0 0.0.0.0 ...
    (comp.dcom.sys.cisco)
  • ipsec config problem :URGENT HELP NEEDED
    ... Subject: ipsec config problem:URGENT HELP NEEDED ... I need some help for this ipsec tunnel configuration that i am trying to ... I have configured ipsec by using the command 'ipsec' at the command prompt and ... also the configuration needs a tunnel src address and tunnel dest address. ...
    (Focus-SUN)
  • Re: Sysopt
    ... > Note The sysopt ipsec pl-compatible command is deprecated. ... > dynamic-map match-address statement. ...
    (comp.dcom.sys.cisco)