Date: Fri, 11 Oct 2002 16:53:07 +0200 From: Daniel Lang <dl@leo.org> To: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: IPsec AH tunneling from Windows/Linux clients to FreeBSD server Message-ID: <20021011145307.GH22608@atrbg11.informatik.tu-muenchen.de>
next in thread | raw e-mail | index | archive | help
Hi, I need to setup FreeBSD IPSec servers to accept IPSec connections from BSD, Windows and Linux clients. AH is required on the line ESP would be nice to have. PPTP should not be used. The clients and the server are _not_ on the same subnet, i.e. traffic must be routed. To make things a bit more complicated, the clients need to authenticate themselves with X.509 certificates against the server. The clients are not known in advance and may have dynamic IP addresses. However, their certificate will be registered. Is this possible? As far as my research and browsing through various documentation and howtos goes, I've came to the following conclusion. Please verify if my assumptions are correct and/or provide addiotional hints. - ESP knows "tunnel" and "transport" mode. W2K is not able to do the real "tunnel" mode, but requires PPTP for this, but "transport" mode should work fine. - But, since clients and IPSec gateway (server) is not on the same subnet, I guess it requires a tunnel? Is this correct? - For AH, there is a tunnel mode but there seems to be an "old" (or outdated) mode. Does Windows support this? Which one would work? - Racoon seems to be able to negotiate any AH/ESP policy with various encryption/hashing algorithms. But some combinations may not work. Are these known? - If I need tunneling, how can the tunnels be set up dynamically? I guess there are pieces of software around called "tunnelbroker" (mainly for IPv6/IPv4 tunnels?), could such a service be used? Here is what I tried first, to get things started at all: I followed the detailed instructions on: http://www.daemonnews.org/200101/ipsec-howto.html This seems to setup a IPsec ESP connection in transport mode between a W2K client and a FreeBSD server with KAME/racoon. From Racoon's debug output, the key negotiation failed due to: [..] 2002-10-11 16:04:54: DEBUG: isakmp.c:218:isakmp_handler(): === 2002-10-11 16:04:54: DEBUG: isakmp.c:219:isakmp_handler(): 60 bytes message received from 10.0.1.1[500] 2002-10-11 16:04:54: DEBUG: plog.c:193:plogdump(): 6a0d27c6 e59016ae 32b789d3 43e5bec8 05100201 00000000 0000003c 95e30fad 7b60d5cb 6425d731 c76cfa32 56c4eabb 7b2bd6e3 27f3619f e783d9dc 2002-10-11 16:04:54: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. 04:54.152226 10.0.1.1:500 -> 10.0.2.1:500: isakmp 1.0 msgid 00000000 cookie 6a0d27c6e59016ae->32b789d343e5bec8: phase 1 ? ident[E]: [|id] 2002-10-11 16:04:54: DEBUG: isakmp.c:396:isakmp_main(): malformed cookie received or the spi expired. [..] I'm not sure where to locate the nature of the problem of this very simple setup, which is still far from my requirements (this uses also a 'pre-shared-key' instead of certs). Any more references or hints greatly appreciated. Best regards, Daniel -- IRCnet: Mr-Spock - Cool people don't move, they just hang around. - Daniel Lang * dl@leo.org * ++49 89 289 18532 * http://www.leo.org/~dl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021011145307.GH22608>