I'm sure I will be of no help, since everything works for me.
But a few suggestions.
Just to let you know my setup since it differs from you.
Client (Cygwin) = Windows
Server (Ubuntu)
All version 1.9.4
Both are behind a NAT router with 2 other computers on the LAN. I haven't actually tried to connect from external IP address. I'm using local IP's on all my attempted connections (port knocker program still in beta phase for me).
I'd just double check
$gpg --list-keys on both server and client and make sure the keys are installed (which I'm sure they are). Here is my output:
Client:
Code:
$ gpg --list-keys
gpg: WARNING: This version has been built with support for the Camellia cipher.
gpg: It is for testing only and is NOT for production use!
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
/home/klal/.gnupg/pubring.gpg
-----------------------------
pub 4096R/7EBCE6DE 2007-11-14
uid KevDog (Kevdog) <email@gmail.com>
uid [jpeg image of size 3122]
sub 4096R/E4193E1A 2008-02-15
pub 2048R/3A3A2A81 2008-05-27
uid fwknopd (fwknop server key) <fwknopd@localhost>
sub 2048R/81C0D5C6 2008-05-27
Server:
Code:
root@sudarshan:/etc/fwknop# gpg --list-keys
gpg: WARNING: This version has been built with support for the Camellia cipher.
gpg: It is for testing only and is NOT for production use!
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3A3A2A81 2008-05-27
uid fwknopd (fwknop server key) <fwknopd@localhost>
sub 2048R/81C0D5C6 2008-05-27
pub 4096R/7EBCE6DE 2007-11-14
uid Kevdog (Kevdog) <email@gmail.com>
uid [jpeg image of size 3122]
sub 4096R/E4193E1A 2008-02-15
My access.conf file (similar to yours on server -- relevant section)
Code:
### default Single Packet Authorization (SPA) via libpcap:
SOURCE: ANY;
OPEN_PORTS: tcp/22; ### for ssh (change for access to other services)
#KEY: <key>;
DATA_COLLECT_MODE: PCAP;
GPG_REMOTE_ID: 7EBCE6DE;
GPG_DECRYPT_ID: 3A3A2A81;
GPG_DECRYPT_PW: <password>;
GPG_HOME_DIR: /root/.gnupg;
FW_ACCESS_TIMEOUT: 30;
My command line that connected from client to server (Notice this is different than yours):
Code:
$ fwknop -A tcp/22 --gpg-recip 3A3A2A81 --gpg-sign 7EBCE6DE -s -D 192.168.1.105
[+] Starting fwknop client (SPA mode)...
[+] Enter the GnuPG password for signing key: 7EBCE6DE
GnuPG signing password:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 2659950876413823
Username: klal
Timestamp: 1212585655
Version: 1.9.4
Type: 1 (access mode)
Access: 0.0.0.0,tcp/22
SHA256 digest: l6S1cxMko5vmvc8+GQ0Ufm4nXZBTtrDqGEto94kSip8
[+] Sending 1340 byte message to 192.168.1.105 over udp/62201...
And resultant log on server:
Code:
Jun 4 08:21:03 sudarshan fwknopd: received valid GnuPG encrypted packet (signed with required key ID: "7EBCE6DE") from: 192.168.1.103, remote user: klal, client version: 1.9.4 (SOURCE line num: 115)
Jun 4 08:21:03 sudarshan fwknopd: add FWKNOP_INPUT 192.168.1.103 -> 0.0.0.0/0(tcp/22) ACCEPT rule 30 sec
Jun 4 08:21:34 sudarshan fwknop(knoptm): removed iptables FWKNOP_INPUT ACCEPT rule for 192.168.1.103 -> 0.0.0.0/0(tcp/22), 30 sec timeout exceeded
Testing:
To See if port was actually opened:
Client before fwknop invocation:
Code:
$ nmap -p 22 192.168.1.105
Starting Nmap 4.62 ( http://nmap.org ) at 2008-06-04 08:37 Central Daylight Time
Interesting ports on 192.168.1.105:
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.692 seconds
After invocation:
Code:
$ nmap -p 22 192.168.1.105
Starting Nmap 4.62 ( http://nmap.org ) at 2008-06-04 08:38 Central Daylight Time
Interesting ports on 192.168.1.105:
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.444 seconds
Probably not helpful except my command line invocation was different.
Bookmarks