From owner-freebsd-net@freebsd.org Fri Mar 3 15:45:15 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4EC1CF6339 for ; Fri, 3 Mar 2017 15:45:15 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id 2E1651474 for ; Fri, 3 Mar 2017 15:45:14 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPS id 39627865 for freebsd-net@freebsd.org; Fri, 03 Mar 2017 21:40:43 +0600 Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.transneft.ru (8.14.9/8.14.9) with ESMTP id v23FjCxT081779 for ; Fri, 3 Mar 2017 22:45:12 +0700 (KRAT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.transneft.ru (8.14.9/8.14.9/Submit) id v23Fj9t8081778 for freebsd-net@freebsd.org; Fri, 3 Mar 2017 22:45:09 +0700 (KRAT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Fri, 3 Mar 2017 22:45:09 +0700 From: Victor Sudakov To: freebsd-net@freebsd.org Subject: GSSAPI and racoon Message-ID: <20170303154509.GA81714@admin.sibptus.transneft.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.7.1 (2016-10-04) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2017 15:45:15 -0000 Dear Colleagues, Is anyone running GSSAPI+IKE (racoon)? I have a Heimdal realm with a dozen FreeBSD hosts in it. I use GSSAPI for ssh access, also for CVS and SVN authentication. So I thought it would be a good idea to use Kerberos for IPSec as well, but the documentation is scarce, in fact only the very spartan /usr/local/share/doc/ipsec-tools/README.gssapi and /usr/local/share/examples/ipsec-tools/racoon.conf.sample-gssapi The questions are: 1. Where does racoon expect to find the keytab? 2. Does the ISAKMP+GSSAPI negotiation process involve racoon requesting Kerberos tickets from the KDC (in other words, which is the Kerberos server and which the Kerberos client)? Where does the client store the ticket? 3. Does it mean that any host with a valid keytab can negotiate a SA with any other host with a valid keytab? Like, if I have host/host1.example, host/host2.example and host/host3.example all runnning racoon, they can all form SAs? 4. How do I use GSSAPI for some hosts and a preshared key for other hosts? Can I fallback to a preshared key if GSSAPI fails? 5. Is there a good howto? :-) Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859