From owner-freebsd-security Mon Feb 11 18:25:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 9D21437B485 for ; Mon, 11 Feb 2002 18:17:01 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id F19C12317C for ; Mon, 11 Feb 2002 21:16:47 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 079C39F292; Mon, 11 Feb 2002 21:11:52 -0500 (EST) To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Date: Thu, 07 Feb 2002 20:30:24 -0500 From: "James F. Hranicky" Message-Id: <20020212021152.079C39F292@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "James F. Hranicky" wrote in message news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu... > I dont understand what you mean here, ipsec doesnt require something special > from routing. Hmmm...well, what I'd like is to be able to query the router for the nets that are behind it, and automagically add those to the IPSEC config. > There are some new RFC's about natting ipsec tunnel packets. > You can only nat tunnel packets because the outer headers are not > authenticated. I mean NATting them after decryption, so they can find their way back to an arbitrary IPSEC router within the internal net and not go back out the border router due to the outside source address. I sent a post detailing this a couple of weeks ago. ("IPSEC into network behind the primary router", 1/17/02) > > o Is this really the case, or am I just wrong here? > Every ipsec endpoint needs own private key + certificate + CA certificate, > thats all. Great! What a relief. I guess I've had a hard time understanding racoon.conf . > The intention with ipsec is that you dont need all public certs from all > your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed your peers > cert. > It the verifies the peer cert. > This is also the only way for mobile users. Ok, great. > You should really first do some tests with ipsec. > I used 2 freebsd machines (inside vmware). > There are numerous examples on the net which clarifies your questions. > I works with win2000 , > with pre-shared authentication keys , associated with ip addresses. > with cert authentication , associated with x509 names/email addresses. Awesome. I've been searching the 'net for quite a while, but the docs I've found seemed on the terse side. I'll give it a go and see what happens. I have been able to get simple transport mode + shared secrets working, so now I'll try out the certs. Thanks a ton! ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message