From owner-freebsd-security Sat Jul 20 17:20:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32B8337B400; Sat, 20 Jul 2002 17:20:07 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 468B243E58; Sat, 20 Jul 2002 17:20:06 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17W4SC-000M4q-00; Sun, 21 Jul 2002 01:20:04 +0100 Message-ID: <008501c2304c$59fbd800$a4102c0a@viper> From: "chris scott" To: , Subject: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 01:16:18 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0082_01C23054.373A02D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0082_01C23054.373A02D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I am currently trying playing with IPSEC and racoon to provide a secure = services for my users. They all use either freebsd or windows 2k/XP = clients. They unfortunately all have dynamic ips 8(. I have successfully = configured the ipsec policies and have got round the dynamic IP problem = with the freebsd clients by using racoons peer and my identifier = features to initiate the shared key communication. This all works fine. = However I don't know how to do the same thing with windows 2000/XP. I = can setup the ipsec policies on the clients easily enough, as I can the = preshared key. I have no idea how to set the identifiers though. Without = this racoon doesn't match a key on the psk.txt file as it uses the hosts = ip rather than whatever@this.com and hence fails the key exchange. Has = anyone got any clues to point me in the correct direction? sample og the severs racoon conf remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "random@wirdo.com"; peers_identifier user_fqdn "grebbit@wolly.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } corresponding psk entry grebbit@wolly.com myrandomkey sample of freebsd clients racoon config remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn grebbit@wolly.com; peers_identifier user_fqdn "random@wirdo.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } regards Chris Scott IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for = the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to = the sender. ------=_NextPart_000_0082_01C23054.373A02D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I am currently trying playing with = IPSEC and racoon=20 to provide a secure services for my users. They all use either freebsd = or=20 windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I = have=20 successfully configured the ipsec policies and have got round the = dynamic IP=20 problem with the freebsd clients by using  racoons peer and my = identifier  features to initiate the shared key = communication.=20 This all works fine. However I don't know how to do the same thing with = windows=20 2000/XP. I can setup the ipsec policies on the clients easily enough, as = I can=20 the preshared key. I have no idea how to set the identifiers though. = Without=20 this racoon doesn't match a key on the psk.txt file as it uses the hosts = ip=20 rather than whatever@this.com and=20 hence fails the key exchange. Has anyone got any clues to point me in = the=20 correct direction?
 
sample og the severs racoon = conf
 
remote=20 anonymous
{
        = #exchange_mode=20 main,aggressive;
        = exchange_mode=20 aggressive,main;
        doi=20 ipsec_doi;
        situation=20 identity_only;
 
       =20 #my_identifier address;
       =20 my_identifier user_fqdn "random@wirdo.com";
   &n= bsp;   =20 peers_identifier user_fqdn "grebbit@wolly.com";
   &nb= sp;   =20 #certificate_type x509 "mycert" "mypriv";
 
       =20 nonce_size 16;
        lifetime = time 1=20 hour;   # = sec,min,hour
       =20 initial_contact on;
        = support_mip6=20 on;
        proposal_check=20 obey;    # obey, strict or claim
 
        proposal=20 {
           &n= bsp;   =20 encryption_algorithm=20 3des;
          &nbs= p;    =20 hash_algorithm=20 sha1;
          &nbs= p;    =20 authentication_method pre_shared_key=20 ;
           &n= bsp;   =20 dh_group 2 ;
        = }
}
 
corresponding psk entry
grebbit@wolly.com myrandomkey
 
 
sample of freebsd clients racoon=20 config
 
remote=20 anonymous
{
        = #exchange_mode=20 main,aggressive;
        = exchange_mode=20 aggressive,main;
        doi=20 ipsec_doi;
        situation=20 identity_only;
 
       =20 #my_identifier address;
       =20 my_identifier user_fqdn grebbit@wolly.com;
   =     =20 peers_identifier user_fqdn "random@wirdo.com";
   &n= bsp;   =20 #certificate_type x509 "mycert" "mypriv";
 
       =20 nonce_size 16;
        lifetime = time 1=20 hour;   # = sec,min,hour
       =20 initial_contact on;
        = support_mip6=20 on;
        proposal_check=20 obey;    # obey, strict or claim
 
        proposal=20 {
           &n= bsp;   =20 encryption_algorithm=20 3des;
          &nbs= p;    =20 hash_algorithm=20 sha1;
          &nbs= p;    =20 authentication_method pre_shared_key=20 ;
           &n= bsp;   =20 dh_group 2 ;
        = }
}
 
 
 
 
 
 
 
 
 
 
regards
 

Chris Scott

IMPORTANT NOTICE:
This email may be confidential, may be = legally=20 privileged, and is for the
intended recipient only.  Access, = disclosure,=20 copying, distribution, or
reliance on any of it by anyone else is = prohibited=20 and may be a criminal
offence.  Please delete if obtained in = error and=20 email confirmation to the
sender.
------=_NextPart_000_0082_01C23054.373A02D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message