RE: ipsec config problem :URGENT HELP NEEDED

From: Wenchel, Kevin B. (Kevin.Wenchel@jhuapl.edu)
Date: 08/20/01 

Message-ID: <B07BB447BEDED411A49D0008C7E691E28A1952@aples3.jhuapl.edu>
From: "Wenchel, Kevin B." <Kevin.Wenchel@jhuapl.edu>
To: 'Sayali Karanjkar' <Sayali.Karanjkar@Sun.COM>, "'focus-sun@securityfocus.com'" <focus-sun@securityfocus.com>
Subject: RE: ipsec config problem :URGENT HELP NEEDED
Date: Mon, 20 Aug 2001 15:27:39 -0400

-----Original Message-----
From: Sayali Karanjkar [mailto:Sayali.Karanjkar@Sun.COM]
Sent: Sunday, August 19, 2001 10:55 PM
To: focus-sun@securityfocus.com
Subject: ipsec config problem :URGENT HELP NEEDED

>Hi all,
>
>I need some help for this ipsec tunnel configuration that i am trying to
>implement. this is really urgent and i hope you all will help me out with
this.
>
>I have configured ipsec by using the command 'ipsec' at the command prompt
and
>then the configuration being done at the ipsec command prompt :ipsec>
>so how do i know where the ipseckey file is and how do i check it?
>

There is no file created. The easier way to handle this is to place all the
ipsec
configuration commands into the file /etc/inet/ipseckey. Make sure to place
a flush
command at the top of the file. Then load the database with "ipseckey -f
/etc/inet/ipseckey".
Also, the script /etc/rc2.d/S69inet is written to look for
/etc/inet/ipseckey and will run
'ipseckey -f ' to load the SA database for you at boot time.

>also the configuration needs a tunnel src address and tunnel dest address.
which
>addresses are these? i have two systems which are sparc machines running
the
>solaris 8 core administration package and they are connected via a private
>network. one machine is 10.1.1.1 and the other is 10.1.1.2. so these are
the two
>system addresses right and then which are the tunnel addresses?
>
>i have given the command
>
>on system 1
>
>ipsec> add esp spi 0x2112 src 10.1.1.1 dst 10.1.1.2\
>authalg md5 authkey 123456aa123456bb123456cc123456dd \
>encralg 3des encrkey 789000ee789000ff
>
>on system 2
>
>ipsec> add esp spi 0x2113 src 10.1.1.2 dst 10.1.1.1\
>authalg md5 authkey 654321aa654321bb654321cc654321dd \
>encralg 3des encrkey 000789ee000789ff
>
>and after this the command on system 1 gave no error but the one on system
gives
>error saying that one of the values entered is incorrect. return message in

>doaddup.invalid argument.
>what causes this problem?
>

You usually encounter this error message because a key value has an
incorrect length.
When I use 3des on my system, I cannot enter a key less then 192 bits(48 hex
digits) or I
get the doaddup error.

You should also check to make sure you have the Sun supplemental Encryption
packages installed. Absence
of these packages will also cause this error.
 
# pkginfo | grep "SUNWcry"

If you don't see any results, goto
http://www.sun.com/software/solaris/encryption/download.html
and download the packages.

>after that i tried to configure the secure tunnel..by giving the foll.
commands.
>
>on system 1
>
>#ifconfig ip.tun0 plumb
>#ifconfig ip.tun0 10.1.1.11 10.1.1.22 \
>tsrc 10.1.1.1 tdst 10.1.1.2 encr_algs 3des encr_auth_algs md5
># ifconfig ip.tun0 up
>
>on system 2
>
>#ifconfig ip.tun0 plumb
>#ifconfig ip.tun0 10.1.1.22 10.1.1.11 \
>tsrc 10.1.1.2 tdst 10.1.1.1 encr_algs 3des encr_auth_algs md5
># ifconfig ip.tun0 up
>
>this also gives error on system 2 and no error on system 1.
>what might be the problem?
>

I assume these two machines are both setup to act as routers?
I haven't created a tunnel with Solaris 8 IPSEC before. If you haven't
already, take a look at the following Answer Book IPSEC documentation

http://docs.sun.com:80/ab2/coll.47.11/SYSADV3/@Ab2PageView/22882?Ab2Lang=C&A
b2Enc=iso8859-1

there is a section on building VPNs.

Relevant Pages

  • FreeS/WAN ipsec through NAT
    ... I'm desperately trying to get my Linux laptop with FreeS/WAN on it ... automatically do "the right thing" when it comes to ipsec / freeswan ... a Dinwows-client talking through a NAT firewall to a LInux FreeS/WAN ... that the configuration runs fine when using the laptop ...
    (comp.os.linux.security)
  • RE: ipsec config problem :URGENT HELP NEEDED
    ... Subject: ipsec config problem:URGENT HELP NEEDED ... I need some help for this ipsec tunnel configuration that i am trying to ... also the configuration needs a tunnel src address and tunnel dest address. ...
    (Focus-SUN)
  • ipsec config problem :URGENT HELP NEEDED
    ... Subject: ipsec config problem:URGENT HELP NEEDED ... I need some help for this ipsec tunnel configuration that i am trying to ... I have configured ipsec by using the command 'ipsec' at the command prompt and ... also the configuration needs a tunnel src address and tunnel dest address. ...
    (Focus-SUN)
  • VPN Problems on Cisco 800 Series Routers
    ... I have included the IPSEC ... configuration on the Cisco router at the bottom of this post. ... crypto isakmp key 123 address 0.0.0.0 0.0.0.0 ...
    (comp.dcom.sys.cisco)
  • Re: IPSec monitor snap-in
    ... IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. ... I don't think that these settings can be enabled via the registry and the XP Home version has no Local Security Policy tool, and it doesn't have a Group Policy snap-in so I'm not sure how you managed to enable the "Audit policy change" feature on your machine. ... Tasklist is included with Windows XP Pro but not with XP Home, XP Home users can download Tasklist.exe here: http://www.computerhope.com/download/winxp.htm Download it and put it in your Windows\System32 folder. ... Reboot your computer and allow it to settle down and then run these commands at the Command Prompt: ...
    (microsoft.public.windowsxp.basics)