From owner-freebsd-security Fri Sep 14 11:13:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id D280637B40E for ; Fri, 14 Sep 2001 11:13:09 -0700 (PDT) Received: from cairo.anu.edu.au (localhost [127.0.0.1]) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) with ESMTP id f8EID6r7019310; Sat, 15 Sep 2001 04:13:07 +1000 (EST) Received: (from avalon@localhost) by cairo.anu.edu.au (8.12.0.Beta16/8.12.0.Beta16) id f8EID5hP019307; Sat, 15 Sep 2001 04:13:05 +1000 (EST) From: Darren Reed Message-Id: <200109141813.f8EID5hP019307@cairo.anu.edu.au> Subject: Re: adding a win2k client to a bsd ipsec net - 2modes at once? In-Reply-To: <20010914133956.C25184@mail.webmonster.de> from "Karsten W. Rohrbach" at "Sep 14, 1 01:39:56 pm" To: karsten@rohrbach.de (Karsten W. Rohrbach) Date: Sat, 15 Sep 2001 04:13:05 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Karsten W. Rohrbach, sie said: > Darren Reed(avalon@cairo.anu.edu.au)@2001.09.14 21:06:21 +0000: > > In some mail from Justin Stanford, sie said: > > > Yes, I've also been wondering about BSD/win2k IPSec setups.. is it > > > possible, has anyone made it work? > > > > yes and yes > > darren, could you please detail your configuration? > i would be rather interested if you happen to have success using racoon > or isakmpd and what tweaks i may have overlooked in the past (i did NOT > get win2k to successfully establish phase2)... FWIW, I am using a fairly recent KAME snapshot (20010806) on NetBSD-1.5. At one point I needed to patch racoon to prevent it core dumping (that patch is now in KAME-current). For this, I used pre-shared keys (not certificates). My racoon.conf for the win2k box looked like this: remote anonymous { exchange_mode main,base; proposal { encryption_algorithm des; hash_algorithm hmac_md5; authentication_method pre_shared_key ; dh_group 2 ; } proposal { encryption_algorithm des; hash_algorithm hmac_md5; authentication_method pre_shared_key ; dh_group 1 ; } proposal_check obey; } sainfo anonymous { encryption_algorithm des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } I used DES-MD5 because I wanted to go for an easy, lowest common denominator approach. Oh, I was doing this all in transport mode (at first) but managed to get it to work in point-to-point tunnel encryption too where the tunnel was to the NetBSD box (default router) as you might do for a wavelan setup. transport for netbsd-win2k crypto: spdadd netbsd win2k any -P out ipsec esp/transport//require; spdadd win2k netbsd any -P in ipsec esp/transport//require; tunnel from win2k-netbsd for traffic to XXX: spdadd XXX win2k any -P out ipsec esp/tunnel/netbsd-win2k/require; spdadd win2k XXX any -P in ipsec esp/tunnel/win2k-netbsd/require; The win2k configuration was a tad more trickier and I'm not sure if I can adequately describe it right now (box is off :). For a wavelan setup, XXX might be 0.0.0.0/0 (all traffic). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message