RE: SunScreen v3.1 to v3.0b communications

From: Sean Boran (
Date: 10/04/01

From: "Sean Boran" <>
To: "'Valerie Anne Bubb'" <>, <>
Subject: RE: SunScreen v3.1 to v3.0b communications
Date: Thu, 4 Oct 2001 11:40:51 +0200
Message-ID: <005d01c14cb8$a7a1b250$>

Hi Valerie,

> Hi Sean -
> Yes, you have hit a common problem (which is the result of
> US crypto laws relaxing between releases of SunScreen).


> >Ss_install doesn't allow me to specify key sizes, has anyone
> found a way
> >of making these beasts talk to each other?
> I have set this up before (also with an old admin station to talk
> to a new screen), but you do need to manually generate and set up
> new keys that all have the same size.

> >Creating new sunscreen keys:
> >
> >a) Sunscreen:
> >List current keys:
> >skiplocal -l
> >Delete current keys:
> >skiplocal -r -s 0
> It is not necessary to delete the old ones.

OK. I wanted to be sure there was no conflict in keys selected..

> >Create new one:
> >skiplocal -k -m 512
> >Print out command for other side:
> >skiplocal -x
> >Add local and remote certs to Sunscreen engine:
> >ssadm edit Mypolicy
> >edit> list certificate
> >edit> add certificate "admin-group" GROUP "remote"
> >edit> add certificate  "remote" SINGLE NSID 8 MKID
> >"0x4fd3a1eec3a168e1lotsofcrap"
> >edit> add certificate  "MyScreen.admin" SINGLE NSID 8 MKID
> >"0x9c6e6b0822b590otsofcrap"
> >edit> save
> >ssadm activate Mypolicy
> >skipd_restart
> Have you set up an accessRemote rule? (one would have been set
> up by default with ss_install if you said you wanted remote
> administration, and you would only need to update the key now).
> If so, what does it look like?

add service "remote administration" GROUP ss_admin ping ssh

No actual rule is needed AFAIK?
When I do an ssadrm -r ss3 login admin from the Admins statn , a snoop
on the ss sees only the following every 30 secs or so until the login
times out.

     admin -> ss3 TCP D=3853 S=34325 Syn Seq=1097095997 Len=0
2 Options=<mss 1326>

ssadm: Can't run command: Connection
timed out

/var/log/skipd.log on the ss has no new entries.
On the admin station I see several entries like:
Thu Oct 4 11:37:59 2001 NOCERT: kernel query nsid=8
Thu Oct 4 11:37:59 2001 sending CDP request for nsid=8
Thu Oct 4 11:39:19 2001 cdp failed for nsid=8

> >
> >b) Admin station:
> >Delete ACL entry to screen:
> >skiphost -i le0 -d MyScreenIP
> >Add new entry according to "skiplocal -x" above.
> >Save skip settings and restart skip:
> >skipif -i all -s
> >skipd_restart
> Looks fine.
> Valerie