[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Examples?



Goss, Chad writes:
> Can someone point me to a location where I can find samples(hex dumps) of a
> complete IKE Exchange, Phase I Agressive Mode? Would these be
> available, or is it easier just to run some of the reference code
> that exists. 

You can generate those samples using our test site at
<URL:http://isakmp-test.ssh.fi/>. Just take two web browsers point
isakmp-test.ssh.fi to both of them, and configure the both to use
ip-address 194.100.55.1. Then configure one to use ports 2111 and 2112
and the another to use portsd 2112 and 2111. Then just select the
configuration values and remember to configure the another end to
initiator and another as a responder.

When the whole configuration is done, just start testing and you see
the debug dump of the negotiation. Each payload is printed out in hex
when the packet is assembled and the whole packet is also printed when
it is sent or received.

I just updated it to new version, and now it also includes RC5 and
IDEA ciphers in the phase I.

Here is a latest announcement text:
----------------------------------------------------------------------
The SSH ISAKMP/Oakley test site is now available for testing.
See:

<URL:http://isakmp-test.ssh.fi/>.

This site was already announced in the Washington IETF IPSec session,
and has been operational since then, but this is official announcement
for its availability for testing.

The SSH ISAKMP/Oakley test site is web based test site for
ISAKMP/Oakley servers and it allows your implementation to perform
negotiations against the test server. It gives you sufficient
debugging output, so you can resolve most problems yourself; we are
happy to work with you on the remaining ones (send mail to
isakmp-support@ssh.fi).

For demonstration purposes, you can also put our implementation
negotiating against itself by giving 194.100.55.1 as the IP address
for the other end and using different port number for each end.

I've now configured the system so that you can also use port 500 for
testing at the SSH end. So if you couldn't test earlier because you
couldn't configure the remote port, now you can also use port 500. 

Because only one user can be testing in the same port at same time
(the test servers are each completely separate from each other, but
running on same machine), it would be good to use some other port if
you can, and leave port 500 for those who cannot choose...

The SSH ISAKMP/Oakley test site supports latest drafts (isakmp-10,
oakley-02, isakmp-oakley-08, doi-10), and following options in those
drafts:

	- Several compatibility flags. 

	- Authentication with Pre-Shared keys and limited support for
	  DSA/RSA signatures and RSA encryption authentications.
	  Authentication via signatures or encryption is slightly
	  limited because you have to configure your own system so it
	  trusts our test CA key (certificate for it can be found on
	  the main page) or just trusts any certificate sent
	  by the other end (you also need to put the "trust all
	  certificates" flag on in SSH end so it will trust your
	  certificates). The certificate sent by the other end must
	  have the correct IP address in the alt name field. We can
	  also manually do some CA operations here, so send mail to
	  isakmp-support@ssh.fi if you want to do even more complicated
	  certificate testing.

	- Both responder and initiator ends.

	- Both Main mode and Aggressive mode.

	- New group mode between main or aggressive mode and quick
	  mode.

	- Quick mode. 

	- Encryption algorithms: DES, IDEA, Blowfish, RC5, 3DES, and
	  CAST-128.

	- Hash algorithms: MD5, and SHA

	- Diffie-Hellman Groups: 1, 2, private group arguments
	  given in ISAKMP proposal, and private group negotiated in
	  new group mode (for quick mode). It also supports 1536 bit
	  modp group created by Richard Schroeppel and posted to
	  linux-ipsec list. This is numbered to be group 5. 

	- With or without PFS in quick mode.

	- Limited configuration mode support, it will respond to any
	  configuration	mode (or extended authentication) requests, but
	  the user interface doesn't allow you to initiate them. 

The ISAKMP/Oakley test site is NOT connected to an IPSec engine so it
will just print out the resulting keys after negotiation, so you can
check them (note, that it will print just raw key material, parity
bits etc are fixed in the IPSec engine level, not in this level).

If you have any comments, problems, enchancements etc please send mail
to isakmp-support@ssh.fi.

I will try to add some more help texts to the pages later, but I think
implementators should be able to understand the user interface and
debug output already. I really hope this service will be usefull to
IPSec community.

For more information about SSH ipsec see http://www.ssh.fi/ipsec/
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/


References: