From owner-freebsd-security Fri Jan 12 2: 7: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id 3A70637B69D; Fri, 12 Jan 2001 02:06:41 -0800 (PST) Received: from bastion.localhost (p3E9E165A.dip.t-dialin.net [62.158.22.90]) by post.webmailer.de (8.9.3/8.8.7) with ESMTP id LAA13640; Fri, 12 Jan 2001 11:06:37 +0100 (MET) Received: from masterpc (master [192.168.0.1]) by bastion.localhost (8.11.1/8.11.1) with ESMTP id f0CA7US01128; Fri, 12 Jan 2001 10:07:30 GMT Date: Fri, 12 Jan 2001 11:05:40 -0800 From: Boris X-Mailer: The Bat! (v1.48f) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <1322983510.20010112110540@x-itec.de> To: Jorge Peixoto Vasquez Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K In-reply-To: <3A5B6E27.5787D716@aker.com.br> References: <3A5B6E27.5787D716@aker.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Jorge, Tuesday, January 09, 2001, 12:01:43 PM, you wrote: JPV> I've read the mini-howto on how to setup IPSEC on the FreeBSD JPV> (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most JPV> succesful so far. Thanks for reading our IPSEC-MINI-HOWTO. JPV> The only problem I've encountered is that, when making Win2K and FreeBSD JPV> interoperate, the IKE's phase 2 only suceeds if JPV> Win2K initiates the process. If racoon is to start it, Win2k will not JPV> accept any proposal for phase 2, complaining that the dh group number I needed a connection from Win2k as initiator to my FreeBSD development server (FTP,CVS and so on) at the time of writing the win2k portability with FreeBSD. I never tested the way to connect from the bsd box to win2k, because the bsd box should never initiate the connection first. This way has some nice security advantages, too. I think its time to update the HOWTO soon. Until then, I will follow the comments on this list to collect some material for it and if I am using one or two things of someone of this list, the person will be named in the tutorial, of course. I am planning a SGML Version of the howto (DocBook 4.1 SGML) and to write some more background informations how everything works. I asked Josh about the idea, but until today I get no answer - maybe he is very busy at the moment. However, I will start updating the tutorial soon to make some things clearer. After making the update, I will contact Josh and then I will post a notification here. The most questions the people sent to me where always like these: * they contacted us first: (they should first ask the list *ggg) * phase commit errors: (no encryption pack installed) * misunderstandings about esp, why not to use ssh * how to create ssl certificates and how to use them with ipsec/ike ... I will make this things more clearer in the next update of the HOWTO. I will read some comments about the ipsec topic here in the list and after some weeks I will make a nice update, directly to sgml format that it can be read as html book. JPV> (which should correctly be either 1 or 2) received is 1 or 2 (depending JPV> on the pfs_group setting in racoon.conf) and not null(0). If I try JPV> setting pfs_group to null, I get a parse error. It takes some time to find a qualified solution to me, because I am writing and maintaining the HOWTO in my free time. I will try to find a solution, if you can explain my why to establish the connection from the bsd box first. JPV> All the docs I found in the kame site (www.kame.net), the handbook, and JPV> the man pages haven't been of any help too. We will see what we can do -) JPV> p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the JPV> high-encryption pack and SP1 installed on the Win2K box. Ok thats very good and very important. -- Boris [MCSE, CNA] ................................................................... X-ITEC : Consulting * Programming * Net-Security * Crypto-Research ........: [PRIVATE ADDRESS:] : Boris Köster eMail koester@x-itec.de http://www.x-itec.de : Grüne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400 : 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY ........:.......................................................... Everything I am writing is (c) by Boris Köster and may not be rewritten or distributed in any way without my permission. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message