Date: Sun, 21 Jul 2002 01:16:18 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: roaming ipsec policies and racoon Message-ID: <008501c2304c$59fbd800$a4102c0a@viper>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0082_01C23054.373A02D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi,
I am currently trying playing with IPSEC and racoon to provide a secure =
services for my users. They all use either freebsd or windows 2k/XP =
clients. They unfortunately all have dynamic ips 8(. I have successfully =
configured the ipsec policies and have got round the dynamic IP problem =
with the freebsd clients by using racoons peer and my identifier =
features to initiate the shared key communication. This all works fine. =
However I don't know how to do the same thing with windows 2000/XP. I =
can setup the ipsec policies on the clients easily enough, as I can the =
preshared key. I have no idea how to set the identifiers though. Without =
this racoon doesn't match a key on the psk.txt file as it uses the hosts =
ip rather than whatever@this.com and hence fails the key exchange. Has =
anyone got any clues to point me in the correct direction?
sample og the severs racoon conf
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "random@wirdo.com";
peers_identifier user_fqdn "grebbit@wolly.com";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
corresponding psk entry
grebbit@wolly.com myrandomkey
sample of freebsd clients racoon config
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn grebbit@wolly.com;
peers_identifier user_fqdn "random@wirdo.com";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
regards
Chris Scott
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for =
the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a criminal
offence. Please delete if obtained in error and email confirmation to =
the
sender.
------=_NextPart_000_0082_01C23054.373A02D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I am currently trying playing with =
IPSEC and racoon=20
to provide a secure services for my users. They all use either freebsd =
or=20
windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I =
have=20
successfully configured the ipsec policies and have got round the =
dynamic IP=20
problem with the freebsd clients by using racoons peer and my =
identifier features to initiate the shared key =
communication.=20
This all works fine. However I don't know how to do the same thing with =
windows=20
2000/XP. I can setup the ipsec policies on the clients easily enough, as =
I can=20
the preshared key. I have no idea how to set the identifiers though. =
Without=20
this racoon doesn't match a key on the psk.txt file as it uses the hosts =
ip=20
rather than <A =
href=3D"mailto:whatever@this.com">whatever@this.com</A> and=20
hence fails the key exchange. Has anyone got any clues to point me in =
the=20
correct direction?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>sample og the severs racoon =
conf</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>remote=20
anonymous<BR>{<BR> =
#exchange_mode=20
main,aggressive;<BR> =
exchange_mode=20
aggressive,main;<BR> doi=20
ipsec_doi;<BR> situation=20
identity_only;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> =20
#my_identifier address;<BR> =20
my_identifier user_fqdn "random<A=20
href=3D"mailto:random@wirdo.com">@wirdo.com</A>";<BR> &n=
bsp; =20
peers_identifier user_fqdn "grebbit@wolly<A=20
href=3D"mailto:ardvark@antheaven.com">.com</A>";<BR> &nb=
sp; =20
#certificate_type x509 "mycert" "mypriv";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> =20
nonce_size 16;<BR> lifetime =
time 1=20
hour; # =
sec,min,hour<BR> =20
initial_contact on;<BR> =
support_mip6=20
on;<BR> proposal_check=20
obey; # obey, strict or claim</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> proposal=20
{<BR> &n=
bsp; =20
encryption_algorithm=20
3des;<BR> &nbs=
p; =20
hash_algorithm=20
sha1;<BR> &nbs=
p; =20
authentication_method pre_shared_key=20
;<BR> &n=
bsp; =20
dh_group 2 ;<BR> =
}<BR>}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>corresponding psk entry</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>grebbit@wolly<A=20
href=3D"mailto:ardvark@antheaven.com">.com</A> myrandomkey</FONT></D=
IV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>sample of freebsd clients racoon=20
config</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>remote=20
anonymous<BR>{<BR> =
#exchange_mode=20
main,aggressive;<BR> =
exchange_mode=20
aggressive,main;<BR> doi=20
ipsec_doi;<BR> situation=20
identity_only;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> =20
#my_identifier address;<BR> =20
my_identifier user_fqdn <A =
href=3D"mailto:grebbit@wolly.com">grebbit@wolly<A=20
href=3D"mailto:ardvark@antheaven.com">.com</A></A>;<BR> =
=20
peers_identifier user_fqdn "random<A=20
href=3D"mailto:random@wirdo.com">@wirdo.com</A>";<BR> &n=
bsp; =20
#certificate_type x509 "mycert" "mypriv";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> =20
nonce_size 16;<BR> lifetime =
time 1=20
hour; # =
sec,min,hour<BR> =20
initial_contact on;<BR> =
support_mip6=20
on;<BR> proposal_check=20
obey; # obey, strict or claim</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> proposal=20
{<BR> &n=
bsp; =20
encryption_algorithm=20
3des;<BR> &nbs=
p; =20
hash_algorithm=20
sha1;<BR> &nbs=
p; =20
authentication_method pre_shared_key=20
;<BR> &n=
bsp; =20
dh_group 2 ;<BR> =
}<BR>}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>regards</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT face=3DArial =
size=3D2>
<DIV><BR>Chris Scott<BR></DIV>
<DIV><BR>IMPORTANT NOTICE:<BR>This email may be confidential, may be =
legally=20
privileged, and is for the<BR>intended recipient only. Access, =
disclosure,=20
copying, distribution, or<BR>reliance on any of it by anyone else is =
prohibited=20
and may be a criminal<BR>offence. Please delete if obtained in =
error and=20
email confirmation to the<BR>sender.</FONT></DIV></BODY></HTML>
------=_NextPart_000_0082_01C23054.373A02D0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008501c2304c$59fbd800$a4102c0a>