Date: Sun, 21 Jul 2002 01:16:18 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: roaming ipsec policies and racoon Message-ID: <008501c2304c$59fbd800$a4102c0a@viper>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi,
I am currently trying playing with IPSEC and racoon to provide a secure services for my users. They all use either freebsd or windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I have successfully configured the ipsec policies and have got round the dynamic IP problem with the freebsd clients by using racoons peer and my identifier features to initiate the shared key communication. This all works fine. However I don't know how to do the same thing with windows 2000/XP. I can setup the ipsec policies on the clients easily enough, as I can the preshared key. I have no idea how to set the identifiers though. Without this racoon doesn't match a key on the psk.txt file as it uses the hosts ip rather than whatever@this.com and hence fails the key exchange. Has anyone got any clues to point me in the correct direction?
sample og the severs racoon conf
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "random@wirdo.com";
peers_identifier user_fqdn "grebbit@wolly.com";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
corresponding psk entry
grebbit@wolly.com myrandomkey
sample of freebsd clients racoon config
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn grebbit@wolly.com;
peers_identifier user_fqdn "random@wirdo.com";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
regards
Chris Scott
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a criminal
offence. Please delete if obtained in error and email confirmation to the
sender.
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2716.2200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I am currently trying playing with IPSEC and racoon
to provide a secure services for my users. They all use either freebsd or
windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I have
successfully configured the ipsec policies and have got round the dynamic IP
problem with the freebsd clients by using racoons peer and my
identifier features to initiate the shared key communication.
This all works fine. However I don't know how to do the same thing with windows
2000/XP. I can setup the ipsec policies on the clients easily enough, as I can
the preshared key. I have no idea how to set the identifiers though. Without
this racoon doesn't match a key on the psk.txt file as it uses the hosts ip
rather than <A href="mailto:whatever@this.com">whatever@this.com</A> and
hence fails the key exchange. Has anyone got any clues to point me in the
correct direction?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>sample og the severs racoon conf</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>remote
anonymous<BR>{<BR> #exchange_mode
main,aggressive;<BR> exchange_mode
aggressive,main;<BR> doi
ipsec_doi;<BR> situation
identity_only;</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
#my_identifier address;<BR>
my_identifier user_fqdn "random<A
href="mailto:random@wirdo.com">@wirdo.com</A>";<BR>
peers_identifier user_fqdn "grebbit@wolly<A
href="mailto:ardvark@antheaven.com">.com</A>";<BR>
#certificate_type x509 "mycert" "mypriv";</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
nonce_size 16;<BR> lifetime time 1
hour; # sec,min,hour<BR>
initial_contact on;<BR> support_mip6
on;<BR> proposal_check
obey; # obey, strict or claim</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> proposal
{<BR>
encryption_algorithm
3des;<BR>
hash_algorithm
sha1;<BR>
authentication_method pre_shared_key
;<BR>
dh_group 2 ;<BR> }<BR>}</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>corresponding psk entry</FONT></DIV>
<DIV><FONT face=Arial size=2>grebbit@wolly<A
href="mailto:ardvark@antheaven.com">.com</A> myrandomkey</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>sample of freebsd clients racoon
config</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>remote
anonymous<BR>{<BR> #exchange_mode
main,aggressive;<BR> exchange_mode
aggressive,main;<BR> doi
ipsec_doi;<BR> situation
identity_only;</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
#my_identifier address;<BR>
my_identifier user_fqdn <A href="mailto:grebbit@wolly.com">grebbit@wolly<A
href="mailto:ardvark@antheaven.com">.com</A></A>;<BR>
peers_identifier user_fqdn "random<A
href="mailto:random@wirdo.com">@wirdo.com</A>";<BR>
#certificate_type x509 "mycert" "mypriv";</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
nonce_size 16;<BR> lifetime time 1
hour; # sec,min,hour<BR>
initial_contact on;<BR> support_mip6
on;<BR> proposal_check
obey; # obey, strict or claim</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> proposal
{<BR>
encryption_algorithm
3des;<BR>
hash_algorithm
sha1;<BR>
authentication_method pre_shared_key
;<BR>
dh_group 2 ;<BR> }<BR>}</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>regards</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV><FONT face=Arial size=2>
<DIV><BR>Chris Scott<BR></DIV>
<DIV><BR>IMPORTANT NOTICE:<BR>This email may be confidential, may be legally
privileged, and is for the<BR>intended recipient only. Access, disclosure,
copying, distribution, or<BR>reliance on any of it by anyone else is prohibited
and may be a criminal<BR>offence. Please delete if obtained in error and
email confirmation to the<BR>sender.</FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008501c2304c$59fbd800$a4102c0a>