Networking :: Ipsec - Racoon Roadwarrior Client - Main Mode - Hybrid_rsa Authentication?
Jun 28, 2011
My client is on Ubuntu Lucid 10.04, I installed ipsec-tools and racoon from the repositories. The gateway is installed on a CentOS machine. I've configured everything to get a working roadwarrior configuration with authentication_method hybrid_rsa client and server. It's working in aggressive mode, but in main mode I can't get it working. I delivered new CA and certificates several times but I'm still stuck.
It seems that it comes from my client not supporting the certificate sent by the server. The client contains a copy of the CA, whereas server has a private key and a certificate signed by the CA.
[Code]...
View 3 Replies
ADVERTISEMENT
May 21, 2010
i have two laptop of ip-address --10.114.12.27 & 10.114.12.28.i have install ipsec-tools & racoon on both laptop.i m using ubuntu os. now i want to use automatic keying by racoon.for this i have put these lines in /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt";
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
[Code]...
and when i usint "racoon -F" and try to ping these two laptop , it is not pinging at all. and alse "racoon -F" does not show any ESP and AH.
View 1 Replies
View Related
Aug 6, 2010
As part of the project I'm working on, I need to set up a server with IPSec authentication only connections to a large number of low bandwidth clients. I'm making use of the PF_KEY interface to populate the keys on the server and while prototyping things I've found that the initial setup is taking longer than I had expected. At the start of my test, entries are being added to the database at a rate of around 30/second, but as time goes on this is dropping significantly. I ran a test up to around 100k entries and by then the rate had dropped to 10/second. It's key to me that if I reboot my server that the Security Associations can be repopulated in a very short period, so I do genuinely need this to be much faster.
Two questions:
1) Does anyone have any experience of running with a large number of SAs set up, and if so what sort of setup rate did you get?
2) Are there things I can do to speed up the provisioning of these SAs? I'd really like to see a rate in the thousands per second.
We've been doing the prototyping on the 2.6 kernel.
View 1 Replies
View Related
May 21, 2010
I have been used NX client on windows 7 connected to ubuntu with NX client/node/server with no issues. The matter started when I have formatted Ubuntu and reinstalled NX, from that NX connects but shows a key error as follows:
NX> 203 NXSSH running with pid: 4328
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
[code]....
View 7 Replies
View Related
Mar 2, 2011
Server: Fedora 14
Client: Fedora 14
LDAP server: 389-ds
I have set up the 389 server using the default configuration. Adding user and http/pam authentication works fine. The problem I have is the client authentication. On the client machine, using "authconfig-tui" to turn on LDAP authentication it turns on sssd and use 'sss' in etc/nsswitch.conf after 'files'. I couldn't get sss working. In the end, I disabled sssd and manually changed 'sss' to 'ldap' for all configuration files including:
modify /etc/nsswitch.conf
modify /etc/pam.d/password-auth, change all sss to ldap
modify /etc/pam.d/system-auth
change /etc/sysconfig/authconfig
FORCELEGACY=yes
After these, client authentication works. I can log in to the client machine using user/password set on the LDAP server. I thought this is done but everyday the LDAP service stop functioning once or twice. I can't log in to the client machine using LDAP username/password. After restart the dirsrv on ldap server, things back to normal. I can't find any reasons from /var/log/dirsrv/ldap-xxx error file and don't know how to debug the problem.
View 3 Replies
View Related
Nov 19, 2010
I want to use FTP client (for example ncftp) to connect in active mode. I have firewall (iptables) on my laptop and most of time I am behind rooter. With outgoing packets and with passive mode all is working fine.But some sites accept only active mode.I could open some port range in firewall and in rooter for active data packets, but I don't know how to solve security issues.So how should I correctly manage active ftp connection?
How can I set data port range when opening active connection with ncftp (or maybe another ftp client)?How can I limit that incoming connections to that ports range is accepted only by ncftp or else dropped?
View 1 Replies
View Related
Jan 12, 2011
an opensource NON-GUI git client (for linux of course) that's really light/small. I just need to it to have the main functionality of a GIT client (downloading project for read only, clone, add, commit)
View 3 Replies
View Related
May 7, 2010
I am not 100% happy with empathy like I was with Pidgin. I am, however very happy with the indicator applet that sits next to the clock. My question is, how do I go about setting this system so that instead of 'chat' loading Empathy, it recognises that as Pidgin instead?
View 5 Replies
View Related
Aug 24, 2010
I have an IPsec VPN between 2 Ubuntu 10.04.1 Boxes which is working perfectly. However I cannot get any traffic to route down the VPN link.Interestingly, when checking the routing table, there isn't even a route list for the remote network. This is the same on both sides. Also there isn't an ipsec0 interface listed either.However, when a the command "sudo service ipsec status" is ran, it definately shows the tunnel is up and connected.
View 1 Replies
View Related
Sep 9, 2010
I install openswan on rhel6 and when i execute the command "service ipsec start "
it say:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
ipsec_setup: Openswan IPsec apparently already active, start aborted
[Code].....
View 1 Replies
View Related
Jul 9, 2010
I'm working on a work project related to Web (Client) authentication and DOD Common Access Cards. But I'm having difficult getting the details about what happens on the CAC side of things.
I familiar with the PKI system as it applies to e-mail. (Correct me if I err, of course.) If you want to sign an e-mail (i.e., so it can be authenticated by the receiver) you use your private key to add a digital signature to the message. Then, the receiver uses your published public key to determine if the digital signature is valid, i.e., was created using your private key (even though the receiver never actually has access to your private key).
So... my questions:
1) When a person with a DOD CAC visits a CAC-enabled web site, and the server grants access after the CAC is inserted, is the authentication process fundamentally the same as what happened with the e-mail authentication?
2) If the private key is used in this process (it would have to be, correct?) is the signature created on the CA Card electronics (i.e., the private key remains on the CAC)? Or is the private key copied onto the computer, which uses it to create the signature?
View 1 Replies
View Related
Mar 25, 2010
I have three locations with a central office connected to two remote locations. At the central office I run on a cisco asa 5505 two site to site vpns. The remote end of the first site is a checkpoint firewall , and the remote end of the second site is racoon on debian. Both sites are up and working. However, where at the first site traffic goes both ways, at the second site it only works from the central office to the remote office.
For example, I can ssh from a host in the central office to a host in the first remote site (through checkpoint firewall,) then ssh back from that host at the remote office to any host in the central office. In contrast, after I ssh from a host in the central office to a host in the second remote office (through racoon), I cannot see the central office hosts (ping the ip address of a central office host, ssh, etc. all fail.) The vpn settings at the central office (the cisco asa 5505) are identical. So it seems to me that some routing magic is missing on the host running racoon at the second remote office. Where would such setting reside? racoon config files? iptables?
View 1 Replies
View Related
Jul 21, 2009
I'm trying to perform a VPN lan to lan IPSEC connection. By my side, I have a server with 2 IP's, i.j.k.l (destined to act as a VPN gateway) and i.j.k.m (the server). I am a newbie. I don't know if this configuration is normal, but it's forced by our partner.
My configuration is:
OS: Fedora release 7 (Moonshine)
OpenSWAN version: Linux Openswan U2.4.7/K2.6.23.17-88.fc7 (netkey)
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
[Code]...
View 3 Replies
View Related
Feb 12, 2011
I've been using IPv6 on my local network and through a Hurricane Electric IPv6 tunnel. I've heard that one of the built in features of IPv6 is encryption, both scrambling the data and authenticating where the traffic came from. I've done some searching and heard of SWAN and Racoon, but some of the stuff I found is old and I would like to know what the easiest/best way to set up IPSEC for IPv6 is.
View 3 Replies
View Related
Jun 4, 2010
I had configured IPSEC/L2Tp on my Centos 5.4 gateway machine .For testing i had disabled firewall and Ipsec is working fine.I am able to connect from client etc...Now i want to allow Ipsec and l2tp throught Firewall.here is my Current Working Firewall.Only Openvpn is allowed and is Redirected.
eth0=XXXSTATICIPXXX
eth1=192.168.1.81
OpenVpn IP Range = 172.24.0.16/4
Ipsec Ip Range = 192.168.1.0/24
[Code].....
View 2 Replies
View Related
Jun 4, 2009
i would like to establish a VPN connection which can hold either 'two' hosts..and secondly if that's done i would like to go for more number of users..Can i do it using IPSec services??if yes then how?
View 9 Replies
View Related
Jun 22, 2011
While I successfully configured an IPsec-VPN (I use a similar tho modified setup like this:[URL].. I am now stuck on the next steps. While I can connect to everything I want, I need to configure "access-groups" and/or "users".
The scenario is similar to this: Lets say Host A, B and C allow SSH-Connections and some weird non-standard UDP-Connection from Host-VPN, and are also accessible on other ports with public IP's (like http).
I now want to limit, that an admin-user has access to all of them, while trainee-admin only can access everything on Host B and C, and CEO only can connect via telnet to Host C - and all users can be roadwarriors
(I made this example up to give you an idea what i'm trying to do - hope it makes sense). Now my question is, if someone can point me towards a direction, as I'm quite clueless at the current moment as to what to try. I know that commercial IPsec-Implementations can do this, but can OpenSWAN/... give me something similar?
View 1 Replies
View Related
Feb 27, 2011
I have a Ubuntu 10.10 box which i've developed an IPTables Firewall script and is forwarding my ports correctly. This service also runs Openswan VPN Server with 2 VPN's, which is also working well.
I have come across a small snag with excluding the multiple VPN subnets I have from the NAT on this box.
I have the line in my configuration file:
-A POSTROUTING -o eth1 -s 10.172.1.0/24 -d ! 192.168.5.0/24 -j MASQUERADE
Which when added to IPTables does make the VPN come to life. But I can't seem to get it to add the second subnet. Unfortunately, I can't do a blanket exclusion such as 192.168.0.0/16 because the second VPN is on a Class B subnet address which I cannot change.
View 1 Replies
View Related
Aug 18, 2011
Connecting two networks with ipsec on this manual [URL] The two networks are connected, everything works, the question is as follows: For a gateway to multiple subnets, I have access to only one subnet is listed in / etc/sysconfig/network-scripts/ifcfg-ipsec0 DSTNET = 192.168.2.0/24. How do I get access to all the subnets?
View 2 Replies
View Related
Aug 6, 2011
I am running a ubuntu server and want to host a web application (php/mysql based) however I dont want to use usernames and passwords for authentication. I'd like to use a client certificate. The military uses similar technology using the CAC card to provide the certificate for authentication.
not sure if this would be done using the apache modules or if php would be a better place to play with this
View 3 Replies
View Related
Apr 29, 2010
Is there any possibility to transport one or two VLANs through a VPN (IPSEC) link on Linux
View 2 Replies
View Related
Jan 19, 2010
i need to build an ipsec vpn between a linux debian server and a zyxel prestige, The debian server got 2 ethernets connection one for the internal network and the other one is public with a public ip adress.I need to know what i need for the build the tunnel, could you please let me know what i need? Let me explain i have only to configure openswan or i have to configure the iptables or somethings else too? I found this one do you think this would be work for me? [URL]..Is debian a right distro or should i try someone else?
View 2 Replies
View Related
Dec 17, 2010
I've no experience with IPSec. I've used many times OpenVPN (with static key or certificates x509).
Could anyone suggest me a good tutorial in order to learn IPSec vpn with Linux?
View 1 Replies
View Related
Aug 18, 2010
I was trying to setup SSL Client authentication on only one virtual host. Here is a brief excerpt sample of my conf file for the virtual host:
<VirtualHost xx.xx.xx.xx:443>
SSLRequire %{SSL_CLIENT_S_DN_O} eq "something"
SSLVerifyClient require
SSLVerifyDepth 2
</VirtualHost>
But when I try to check for syntax errors tells me SSLRequire not allowed here I do not want to add SSLRequire on the main httpd.conf because I only want it for one virtual host. The rest of the virtual hosts do not need it.
View 2 Replies
View Related
Apr 3, 2010
I've searched through google, and all I can find are instructions on how to set up a L2TP/IPSec VPN that works with macs and iPhones. I'm NOT trying to set up an L2TP/IPSec VPN. I'm trying to set up a pure-ipsec vpn.
The iPhone IPSec client is a built-in cisco client, I believe. I'm staying away from L2TP and PPTP because I need multicast packets to go through. *edit: wow, i just noticed that the title says "8.10 LTS". Oops! I obviously mean "8.04 LTS". Gah, the lack of sleep got to me.
View 6 Replies
View Related
Nov 16, 2010
I just got vpnc setup to work with my VPN at work and now I am trying to figure out how to limit the traffic that is routed through the VPN while I'm connected to it. I only want traffic going to the local domain to be routed through the VPN.This is what my vpnc config file looks like:
Code:
IPSec gateway publicdomain.example.com
IPSec ID XXXX
[code]....
View 2 Replies
View Related
Aug 31, 2010
Earlier today I was setting up ssh on a new computer. I modified permissions on the Passwd folder to complete the setup. I few hours later when I went to sudo something in the terminal I received the notice of an incorrect password (after using sudo prior to this), even though it was typed correctly.
I tried to restart the computer to solve the issue, but was met with an Authentication Failed message, regardless of the user I tried to log in with. I was hoping I could log in with recovery mode but was unable to do that as well. I have searched a substantial amount and have not found a solution. Could this be an issue with permissions on either the Passwd or Shadow folder? If so, could these be changed if I ran a Live CD?
View 1 Replies
View Related
May 26, 2011
I am attempting to set up an automatic transfer via sftp using public key authentication. I have created a public/private key pair to connect to the remote server without using a password. I have also been able to use this key pair to login from the command line: sftp -vvv -oPort=<server-side port> user@server.Debug info from interactive command:
Code:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
[code]...
View 1 Replies
View Related
Sep 2, 2011
I have a openldap server running on one machine (fedora10) and pam_ldap.so and nss_ldap.so running on the other machine.
I have added a new user to the LDAP server database, this user is not created on client machine.
1. Can i login to the client machine using this new user?
2. Now if i try logging with this new user I am getting error messages, the error messages are as follows at client side
Sep 2 10:34:36 localhost sshd[8484]: Invalid user kim from 10.254.194.148
Sep 2 10:34:36 localhost sshd[8485]: input_userauth_request: invalid user kim
Sep 2 10:35:16 localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min soo,ou=people,dc=samsung,dc=com" (Invalid credentials)
[Code]....
View 4 Replies
View Related
Jun 11, 2011
Just an FYI for anyone who may be having this particular problem. A short while back, I was trying to attach a picture to a Twitter post, and dropped my network connection. No big deal...connection came back, and things went on. Next time I launched Choqok, it popped up a message saying "Server Error: This method requires authentication". It was puzzling, and didn't appear to impact my use...until I went to send a direct message, and it would give that error and crash. After quitting Choqok, the file (/tmp/ksocket-user/klauncherXXXXXX.slave-socket file) was still present. Deleting that file manually cleared the error up. I've seen this mentioned in a couple of other forums, but none with a solution posted.
If anyone else has that error, and this method resolves it, please let us know. I'm using openSUSE 11.4, but it should apply to any version/distro of Linux using Choqok.
View 5 Replies
View Related
