Date: Sun, 21 Jul 2002 19:48:47 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: "John Howie" <JHowie@msn.com>, <admin@gbinetwork.com>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: Re: roaming ipsec policies and racoon Message-ID: <001001c230e7$3f22f770$a4102c0a@viper> References: <DAEF28A9E7214B46AE7C7C66861F6308DF88@STKSRV1.securitytoolkit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks for all the advice, looks like a much bigger job than I inteneded 8(
If only MS gave us the openness of bsd, the whole thing would be so much
simpler
----- Original Message -----
From: "John Howie" <JHowie@msn.com>
To: "'chris scott'" <chris.scott@uk.tiscali.com>; <admin@gbinetwork.com>
Sent: Sunday, July 21, 2002 6:44 PM
Subject: RE: roaming ipsec policies and racoon
> Folks,
>
> Windows 2000 Server & Advanced Server come with Certificate Services.
> You can create either an Enterprise CA (integrated with AD) or a
> Standalone CA. When using a Standalone CA you can create your own Root
> CA self-signed certificate during the installation process (the
> Enterprise CA always issues itself a Root CA self-signed certificate).
>
> John
>
> P.S. I didn't post this back to the list - you may want to, though.
>
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of chris scott
> Sent: Saturday, July 20, 2002 5:35 PM
> To: admin@gbinetwork.com
> Cc: freebsd-security@FreeBSD.ORG; freebsd-questions@FreeBSD.ORG
> Subject: Re: roaming ipsec policies and racoon
>
> yes it does I believe. I have not looked into this ye thought, does this
> mean I have to have a proper one from an authority that will cost me and
> arm
> and a leg?
>
> ----- Original Message -----
> From: "James Bristle" <admin@gbinetwork.com>
> To: <chris.scott@uk.tiscali.com>
> Sent: Sunday, July 21, 2002 1:24 AM
> Subject: Re: roaming ipsec policies and racoon
>
>
> > does windows support certs ?
> >
> >
> > > Hi,
> > >
> > > I am currently trying playing with IPSEC and racoon to provide a
> secure
> > > services for my users. They all use either freebsd or windows 2k/XP
> > > clients. They unfortunately all have dynamic ips 8(. I have
> > > successfully configured the ipsec policies and have got round the
> > > dynamic IP problem with the freebsd clients by using racoons peer
> and
> > > my identifier features to initiate the shared key communication.
> This
> > > all works fine. However I don't know how to do the same thing with
> > > windows 2000/XP. I can setup the ipsec policies on the clients
> easily
> > > enough, as I can the preshared key. I have no idea how to set the
> > > identifiers though. Without this racoon doesn't match a key on the
> > > psk.txt file as it uses the hosts ip rather than whatever@this.com
> and
> > > hence fails the key exchange. Has anyone got any clues to point me
> in
> > > the correct direction?
> > >
> > > sample og the severs racoon conf
> > >
> > > remote anonymous
> > > {
> > > #exchange_mode main,aggressive;
> > > exchange_mode aggressive,main;
> > > doi ipsec_doi;
> > > situation identity_only;
> > >
> > > #my_identifier address;
> > > my_identifier user_fqdn "random@wirdo.com";
> > > peers_identifier user_fqdn "grebbit@wolly.com";
> > > #certificate_type x509 "mycert" "mypriv";
> > >
> > > nonce_size 16;
> > > lifetime time 1 hour; # sec,min,hour
> > > initial_contact on;
> > > support_mip6 on;
> > > proposal_check obey; # obey, strict or claim
> > >
> > > proposal {
> > > encryption_algorithm 3des;
> > > hash_algorithm sha1;
> > > authentication_method pre_shared_key ;
> > > dh_group 2 ;
> > > }
> > > }
> > >
> > > corresponding psk entry
> > > grebbit@wolly.com myrandomkey
> > >
> > >
> > > sample of freebsd clients racoon config
> > >
> > > remote anonymous
> > > {
> > > #exchange_mode main,aggressive;
> > > exchange_mode aggressive,main;
> > > doi ipsec_doi;
> > > situation identity_only;
> > >
> > > #my_identifier address;
> > > my_identifier user_fqdn grebbit@wolly.com;
> > > peers_identifier user_fqdn "random@wirdo.com";
> > > #certificate_type x509 "mycert" "mypriv";
> > >
> > > nonce_size 16;
> > > lifetime time 1 hour; # sec,min,hour
> > > initial_contact on;
> > > support_mip6 on;
> > > proposal_check obey; # obey, strict or claim
> > >
> > > proposal {
> > > encryption_algorithm 3des;
> > > hash_algorithm sha1;
> > > authentication_method pre_shared_key ;
> > > dh_group 2 ;
> > > }
> > > }
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > regards
> > >
> > >
> > > Chris Scott
> > >
> > >
> > > IMPORTANT NOTICE:
> > > This email may be confidential, may be legally privileged, and is
> for
> > > the intended recipient only. Access, disclosure, copying,
> > > distribution, or reliance on any of it by anyone else is prohibited
> and
> > > may be a criminal offence. Please delete if obtained in error and
> > > email confirmation to the sender.
> >
> >
> >
> >
> >
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001001c230e7$3f22f770$a4102c0a>