I am back in Town...Hello Everyone...
I don't know if your vpn connection up or down... just a test connection
this is what I did...using Charles Eiger Image and Windows XP
don't worry about RSA for now....
my /etc/ipsec.conf
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (mostly to fix internal defaults which, in retrospect, were badly chosen)
conn %default
keyingtries=1
disablearrivalcheck=no
authby=secret
keylife=2h
#leftrsasigkey=%cert
conn road
left=0.0.0.0
leftsubnet=
leftnexthop=
right=192.168.1.254
rightsubnet=192.168.1.0/24
rightnexthop=192.168.1.1
pfs=yes
auto=add
#rightrsasigkey=%cert
and my /etc/ipsec.secrets
192.168.1.254 %any:
"0xad11sdfadf11sfsafd11e30ec3eee316d766e657601f21b41xxxxxxxxxxxyyyyyyyyyyb54
415691f1523232325658854"
above presharedkey can be anything but make sure you have that in both
ends...in vpn
you can use this command to create that key "ipsec ranbits --quick --bytes
50"
Upnet Joe...
----- Original Message -----
From: "Joey Officer" <[EMAIL PROTECTED]>
To: "Charles Steinkuehler" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, March 04, 2002 1:42 PM
Subject: RE: [Leaf-user] ipsec.conf and ipsec.secrets
> I see the point about the white space indention, the formatting must not
> have kept in my original email. I believe that this is everything I need
> now to get this working. I'll be working on it this evening. Thanks for
> the help everyone...
>
> Joey
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Charles
> Steinkuehler
> Sent: Monday, March 04, 2002 11:19 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Leaf-user] ipsec.conf and ipsec.secrets
>
> List added back to thread...
>
> > One last question, regarding ipsec.secrets, this is unique to each
> machine,
> > correct? And I put the entire output from ipsec rsasigkey into that
> within
> > the {} . Or (like a read once before) do I create an entry for each
> > machine something like
> >
> > @shop : RSA
> > {
> > <output from ipsec rsasigkey>
> > }
> >
> > @home : RSA
> > {
> > <output from ipsec rsasigkey>
> > }
> >
> > this doesn't seem right since the output should be kept private, but I
> read
> > that through one of the man pages. Or, do I simply put the output from
> the
> > ipsec rsasigkey into the ipsec.secrets for each unique box?
>
> For RSA keys, each machine needs it's own *COMPLETE* RSA key in
> ipsec.secrets. *BOTH* endpoints of the VPN need the public portion of the
> key in ipsec.conf.
>
> Please note that your format above will not work for
ipsec.secrets...you're
> missing the required whitespace at the beginning of the RSA key lines.
You
> want something more like:
>
> : rsa {
> <rsa-key-stuff>
> <more-rsa-key-stuff>
> <more-rsa-key-stuff>
> <more-rsa-key-stuff>
> }
>
> Note everything but the ": rsa" line is indented with
whitespace...FreeS/WAN
> is *VERY* picky about this. See the ipsec.secrets man page for all the
gory
> formatting details, but the above (filled in properly with real RSA key
> info) is enough of an ipsec.secrets file for most RSA applications.
>
> Unless you're trying to use multiple RSA keys on the same system (ie
> different RSA keys for different VPN links), you don't need any
identifying
> information (the @home and @shop in your example).
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
