Date: Fri, 3 Mar 2017 22:45:09 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: GSSAPI and racoon Message-ID: <20170303154509.GA81714@admin.sibptus.transneft.ru>
next in thread | raw e-mail | index | archive | help
Dear Colleagues, Is anyone running GSSAPI+IKE (racoon)? I have a Heimdal realm with a dozen FreeBSD hosts in it. I use GSSAPI for ssh access, also for CVS and SVN authentication. So I thought it would be a good idea to use Kerberos for IPSec as well, but the documentation is scarce, in fact only the very spartan /usr/local/share/doc/ipsec-tools/README.gssapi and /usr/local/share/examples/ipsec-tools/racoon.conf.sample-gssapi The questions are: 1. Where does racoon expect to find the keytab? 2. Does the ISAKMP+GSSAPI negotiation process involve racoon requesting Kerberos tickets from the KDC (in other words, which is the Kerberos server and which the Kerberos client)? Where does the client store the ticket? 3. Does it mean that any host with a valid keytab can negotiate a SA with any other host with a valid keytab? Like, if I have host/host1.example, host/host2.example and host/host3.example all runnning racoon, they can all form SAs? 4. How do I use GSSAPI for some hosts and a preshared key for other hosts? Can I fallback to a preshared key if GSSAPI fails? 5. Is there a good howto? :-) Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170303154509.GA81714>