Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Sep 2001 04:13:05 +1000 (EST)
From:      Darren Reed <avalon@cairo.anu.edu.au>
To:        karsten@rohrbach.de (Karsten W. Rohrbach)
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: adding a win2k client to a bsd ipsec net - 2modes at once?
Message-ID:  <200109141813.f8EID5hP019307@cairo.anu.edu.au>
In-Reply-To: <20010914133956.C25184@mail.webmonster.de> from "Karsten W. Rohrbach" at "Sep 14, 1 01:39:56 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Karsten W. Rohrbach, sie said:
> Darren Reed(avalon@cairo.anu.edu.au)@2001.09.14 21:06:21 +0000:
> > In some mail from Justin Stanford, sie said:
> > > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it
> > > possible, has anyone made it work?
> > 
> > yes and yes
> 
> darren, could you please detail your configuration?
> i would be rather interested if you happen to have success using racoon
> or isakmpd and what tweaks i may have overlooked in the past (i did NOT
> get win2k to successfully establish phase2)...

FWIW, I am using a fairly recent KAME snapshot (20010806) on NetBSD-1.5.
At one point I needed to patch racoon to prevent it core dumping (that
patch is now in KAME-current).

For this, I used pre-shared keys (not certificates).  My racoon.conf for
the win2k box looked like this:

remote anonymous
{
        exchange_mode main,base;
        proposal {
                encryption_algorithm des;
                hash_algorithm hmac_md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
        proposal {
                encryption_algorithm des;
                hash_algorithm hmac_md5;
                authentication_method pre_shared_key ;
                dh_group 1 ;
        }
        proposal_check obey;
}
sainfo anonymous
{
        encryption_algorithm des ;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

I used DES-MD5 because I wanted to go for an easy, lowest common
denominator approach.

Oh, I was doing this all in transport mode (at first) but managed to get
it to work in point-to-point tunnel encryption too where the tunnel was
to the NetBSD box (default router) as you might do for a wavelan setup.

transport for netbsd-win2k crypto:

spdadd netbsd win2k any -P out ipsec esp/transport//require;
spdadd win2k netbsd any -P in ipsec esp/transport//require;

tunnel from win2k-netbsd for traffic to XXX:

spdadd XXX win2k any -P out ipsec esp/tunnel/netbsd-win2k/require;
spdadd win2k XXX any -P in ipsec esp/tunnel/win2k-netbsd/require;

The win2k configuration was a tad more trickier and I'm not sure if I
can adequately describe it right now (box is off :).  For a wavelan
setup, XXX might be 0.0.0.0/0 (all traffic).

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109141813.f8EID5hP019307>