Date: Sat, 15 Sep 2001 04:13:05 +1000 (EST) From: Darren Reed <avalon@cairo.anu.edu.au> To: karsten@rohrbach.de (Karsten W. Rohrbach) Cc: freebsd-security@FreeBSD.ORG Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? Message-ID: <200109141813.f8EID5hP019307@cairo.anu.edu.au> In-Reply-To: <20010914133956.C25184@mail.webmonster.de> from "Karsten W. Rohrbach" at "Sep 14, 1 01:39:56 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Karsten W. Rohrbach, sie said:
> Darren Reed(avalon@cairo.anu.edu.au)@2001.09.14 21:06:21 +0000:
> > In some mail from Justin Stanford, sie said:
> > > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it
> > > possible, has anyone made it work?
> >
> > yes and yes
>
> darren, could you please detail your configuration?
> i would be rather interested if you happen to have success using racoon
> or isakmpd and what tweaks i may have overlooked in the past (i did NOT
> get win2k to successfully establish phase2)...
FWIW, I am using a fairly recent KAME snapshot (20010806) on NetBSD-1.5.
At one point I needed to patch racoon to prevent it core dumping (that
patch is now in KAME-current).
For this, I used pre-shared keys (not certificates). My racoon.conf for
the win2k box looked like this:
remote anonymous
{
exchange_mode main,base;
proposal {
encryption_algorithm des;
hash_algorithm hmac_md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
proposal {
encryption_algorithm des;
hash_algorithm hmac_md5;
authentication_method pre_shared_key ;
dh_group 1 ;
}
proposal_check obey;
}
sainfo anonymous
{
encryption_algorithm des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}
I used DES-MD5 because I wanted to go for an easy, lowest common
denominator approach.
Oh, I was doing this all in transport mode (at first) but managed to get
it to work in point-to-point tunnel encryption too where the tunnel was
to the NetBSD box (default router) as you might do for a wavelan setup.
transport for netbsd-win2k crypto:
spdadd netbsd win2k any -P out ipsec esp/transport//require;
spdadd win2k netbsd any -P in ipsec esp/transport//require;
tunnel from win2k-netbsd for traffic to XXX:
spdadd XXX win2k any -P out ipsec esp/tunnel/netbsd-win2k/require;
spdadd win2k XXX any -P in ipsec esp/tunnel/win2k-netbsd/require;
The win2k configuration was a tad more trickier and I'm not sure if I
can adequately describe it right now (box is off :). For a wavelan
setup, XXX might be 0.0.0.0/0 (all traffic).
Darren
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109141813.f8EID5hP019307>