From owner-freebsd-security@FreeBSD.ORG Thu Nov 15 11:40:52 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1DD6C16A421 for ; Thu, 15 Nov 2007 11:40:52 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: from web55411.mail.re4.yahoo.com (web55411.mail.re4.yahoo.com [206.190.58.205]) by mx1.freebsd.org (Postfix) with SMTP id BAD0D13C45B for ; Thu, 15 Nov 2007 11:40:51 +0000 (UTC) (envelope-from johndecot@yahoo.com) Received: (qmail 94542 invoked by uid 60001); 15 Nov 2007 11:14:04 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=RbtP/lHcmVeEcnou6/ct9DEDiAhd0igv1whL6vnsKoT83evTekvYeDDRpt+pPNsFStaiAOk9FlqA8Fz9rb49D6i62P3+yXgE5CB+Gzb6BmBchj9zR0FpbWgS0IwjF1ZZqTBbEL4S78CkDHIXyQAz5GGLBrsnA7iFrRTtw5oLTFg=; X-YMail-OSG: LWaFjfsVM1nQA_yiU4UJrOCqyLsTJVTUJTnJNVzVwJM8S1CtZMu5TGl_paE1BmLSZLxuuif7BkgX6UP9hBlvvsyUBLuNHBhGj.G02ojK2Fxgq0MbhXk- Received: from [63.219.0.15] by web55411.mail.re4.yahoo.com via HTTP; Thu, 15 Nov 2007 03:14:04 PST Date: Thu, 15 Nov 2007 03:14:04 -0800 (PST) From: john decot To: freebsd-security@freebsd.org MIME-Version: 1.0 Message-ID: <199790.94058.qm@web55411.mail.re4.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPSEC help X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Nov 2007 11:40:52 -0000 Hi, I am new to ipsec and trying to connect my bsd server with win 2000. I have succeeded to tunnel using pre-shared key. But regarding certificate , I failed to get success. The following are configuration : racoon.conf path certificate "/usr/local/openssl/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; remote anonymous { exchange_mode main,aggressive,base; #exchange_mode main,base; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "bsd.public" "bsd.priv" ; lifetime time 24 hour ; # sec,min,hour #initial_contact off ; #passive on ; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig ; dh_group 2 ; } # the configuration makes racoon (as a responder) to obey the # initiator's lifetime and PFS group proposal. # this makes testing so much easier. proposal_check obey; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { # pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } --------------------------END------------------------------------------------------------------ certificate are created in bsd with following commands: openssl req -new -nodes -newkey rsa:1024 -sha1 -days 1095 -keyout bsd.private -out request.pem openssl x509 -req -in request.pem -days 1095 -signkey bsd.private -out bsd.public openssl pkcs12 -export -inkey bsd.private -in bsd.public -out win.p12 -name "win cert" ln -s bsd.public `openssl x509 -noout -hash -in bsd.public`.0 I have used win.p12 in windows 2000 prof. box for this process. Please anyone help me out to configure it. Thankyou, Regards, John --------------------------------- Get easy, one-click access to your favorites. Make Yahoo! your homepage.