[Vpn-help] trouble compiling beta3 on ubunutu 6.0.6 lts

Harondel J. Sibble help at pdscc.com
Mon Sep 17 18:29:47 CDT 2007 


On 17 Sep 2007 at 18:04, Matthew Grooms wrote:

> Very interesting. Thanks for sharing.

No problem, I was hoping that'd be usefull to you.
 
> 
> At present, the Shrew Soft Client supports modecfg very well but does 
> not support DHCP over IPSEC. When updating your case, can you please 
> verify that they support the DHCP over IPSEC specification outlined in 
> RFC3456 or if they utilize a proprietary implementation.

Heh, already done ;-)

    Does MR3 or MR5 support rfc compliant mode config or just dhcp over ipsec?

    This is a description as posted by the Vpn client developer

    > Pull Mode : After phase1/Xauth, the client sends a list of configuration
    > attributes using either NULL or suggested values. This constitutes the pull
    > request. The gateway then responds with a list of configuration attributes for
    > the client to use ( address, netmask, DNS, etc ... ). The client then
    > acknowledges the response with a list of configuration attributes it has
    > accepted.
    >
    > Push Mode : After phase1/Xauth, the client waits for the gateway to send a
    > list of configuration attributes for the client to use ( address, netmask,
    > DNS, etc ... ). The client then acknowledges the response with a list of
    > configuration attributes it has accepted.

    the relevant RFC

    http://www.ietf.org/rfc/rfc3456.txt
 
> With that said, I would very much like to support DHCP over IPSEC. The 

And I'd very much like you to support it, it's a win-win situation ;-)

> only reason I haven't attempted to implement this yet is that I don't 
> have access to a gateway that supports the standard. I even have some 

When you say access, what does that mean exactly? I have a Fortigate 50 (old) 
that I am using currently, but have a 50a which I picked up on Ebay and 
should have in about a week.  I see fortinet has finally released MR5 
firmware for the 50A and 60 series units, so I'll be hooking that up shortly. 
Interestingly enough, they fixed the tunnel mode SSL vpn on this release 
(that got broken on MR3), but you can't do Tunnel mode with linux machines, 
only mac and windows :-(
 
Since the current 50 is working fine for now, I could hook up the 50A on a 
spare ip address and give you remote access to it, along with instructions 
for getting debug/logging info from the box, if that helps with this.

> DHCP packet handling code lying around that can be used to put this 
> together rather quickly. If you are willing to work with me on this, I 
> am very confident we can make this happen for 2.1 :)

Coolio, count me in!
 
> Attached.

Thanks, I'll make good use of that.
 
> No, this is not a feature. If iked is not responding to the client, then it
> has either crashed or hit a deadlock. If you still see this happen with beta
> 4, please try killing iked, then run it with the -F switch ( foreground mode )
> and let me know what the output looks like when it stops responding.

In all cases if I do a "ps auxw | grep iked", nothing comes back at this 
point, so it's gone away.
 
> Is the Fortinet spitting out any diagnostics when the client attempts to
> negotiate the config mode exchange?

None, that I noticed, but I was viewing the ipsec stuff, not the dhcp stuff, 
will have to turn on dhcp debug and see if I see anything useful.
 
> I believe there was another user on the list that had a Forinet gateway. If
> memory serves, we were able to get this working using static address
> assignments. I think if you toy with it long enough, you could get it to work.

Hmm, that didn't work for me, but I'll play with the settings a bit.

> But that really is no way to manage remote access :) 

Agreed wholeheartedly! Hmm interestingly enough, the NCP client works fine 
connecting to the fortinet gateways doing dhcp over ipsec, but not to the 
sonicwall doing dhcp over ipsec. That's not too surprising since a lot of 
what sonicwall does is very proprietary, at least more so than most 
manufacturers.

> If DCHP over IPsec is best way to get dynamic configurations out of
> these gateways, I would much rather spend time on getting that sorted
> out. 

Like I said, I'll gladly help this effort in whatever way I can. 

As to coding, maybe having a chat with the folks over at Lobotomo Software 
might be enlightening. Ther're the ones who put together IPSecuritas, a poor 
man's version of VPN Tracker (both mac based). Both programs are essentially 
front ends to racoon.  I've gotten IPSecuritas working successfully with both 
Sonicwall and Fortinet Gateways.  The latter was pretty easy, the former was 
not.   You can read about what I had to do here

<http://www.lobotomo.com/cgi-
bin/yabb/YaBB.pl?board=IPSecuritas;action=display;num=1160415123;start=0>

or 

http://preview.tinyurl.com/29rra7

Check out the 4th posting from the bottom by sibble-comp.

Hmm, rereading my instructions, it looks like I am using neither dhcp over 
ipsec or mode config.
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

More information about the vpn-help mailing list