From owner-freebsd-questions Sun Jul 21 11:49: 0 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A95137B412; Sun, 21 Jul 2002 11:48:43 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6377143E3B; Sun, 21 Jul 2002 11:48:42 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17WLl3-000Ori-00; Sun, 21 Jul 2002 19:48:41 +0100 Message-ID: <001001c230e7$3f22f770$a4102c0a@viper> From: "chris scott" To: "John Howie" , , , References: Subject: Re: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 19:48:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG thanks for all the advice, looks like a much bigger job than I inteneded 8( If only MS gave us the openness of bsd, the whole thing would be so much simpler ----- Original Message ----- From: "John Howie" To: "'chris scott'" ; Sent: Sunday, July 21, 2002 6:44 PM Subject: RE: roaming ipsec policies and racoon > Folks, > > Windows 2000 Server & Advanced Server come with Certificate Services. > You can create either an Enterprise CA (integrated with AD) or a > Standalone CA. When using a Standalone CA you can create your own Root > CA self-signed certificate during the installation process (the > Enterprise CA always issues itself a Root CA self-signed certificate). > > John > > P.S. I didn't post this back to the list - you may want to, though. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of chris scott > Sent: Saturday, July 20, 2002 5:35 PM > To: admin@gbinetwork.com > Cc: freebsd-security@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG > Subject: Re: roaming ipsec policies and racoon > > yes it does I believe. I have not looked into this ye thought, does this > mean I have to have a proper one from an authority that will cost me and > arm > and a leg? > > ----- Original Message ----- > From: "James Bristle" > To: > Sent: Sunday, July 21, 2002 1:24 AM > Subject: Re: roaming ipsec policies and racoon > > > > does windows support certs ? > > > > > > > Hi, > > > > > > I am currently trying playing with IPSEC and racoon to provide a > secure > > > services for my users. They all use either freebsd or windows 2k/XP > > > clients. They unfortunately all have dynamic ips 8(. I have > > > successfully configured the ipsec policies and have got round the > > > dynamic IP problem with the freebsd clients by using racoons peer > and > > > my identifier features to initiate the shared key communication. > This > > > all works fine. However I don't know how to do the same thing with > > > windows 2000/XP. I can setup the ipsec policies on the clients > easily > > > enough, as I can the preshared key. I have no idea how to set the > > > identifiers though. Without this racoon doesn't match a key on the > > > psk.txt file as it uses the hosts ip rather than whatever@this.com > and > > > hence fails the key exchange. Has anyone got any clues to point me > in > > > the correct direction? > > > > > > sample og the severs racoon conf > > > > > > remote anonymous > > > { > > > #exchange_mode main,aggressive; > > > exchange_mode aggressive,main; > > > doi ipsec_doi; > > > situation identity_only; > > > > > > #my_identifier address; > > > my_identifier user_fqdn "random@wirdo.com"; > > > peers_identifier user_fqdn "grebbit@wolly.com"; > > > #certificate_type x509 "mycert" "mypriv"; > > > > > > nonce_size 16; > > > lifetime time 1 hour; # sec,min,hour > > > initial_contact on; > > > support_mip6 on; > > > proposal_check obey; # obey, strict or claim > > > > > > proposal { > > > encryption_algorithm 3des; > > > hash_algorithm sha1; > > > authentication_method pre_shared_key ; > > > dh_group 2 ; > > > } > > > } > > > > > > corresponding psk entry > > > grebbit@wolly.com myrandomkey > > > > > > > > > sample of freebsd clients racoon config > > > > > > remote anonymous > > > { > > > #exchange_mode main,aggressive; > > > exchange_mode aggressive,main; > > > doi ipsec_doi; > > > situation identity_only; > > > > > > #my_identifier address; > > > my_identifier user_fqdn grebbit@wolly.com; > > > peers_identifier user_fqdn "random@wirdo.com"; > > > #certificate_type x509 "mycert" "mypriv"; > > > > > > nonce_size 16; > > > lifetime time 1 hour; # sec,min,hour > > > initial_contact on; > > > support_mip6 on; > > > proposal_check obey; # obey, strict or claim > > > > > > proposal { > > > encryption_algorithm 3des; > > > hash_algorithm sha1; > > > authentication_method pre_shared_key ; > > > dh_group 2 ; > > > } > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > regards > > > > > > > > > Chris Scott > > > > > > > > > IMPORTANT NOTICE: > > > This email may be confidential, may be legally privileged, and is > for > > > the intended recipient only. Access, disclosure, copying, > > > distribution, or reliance on any of it by anyone else is prohibited > and > > > may be a criminal offence. Please delete if obtained in error and > > > email confirmation to the sender. > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message