From owner-freebsd-security Thu May 16 18:39:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp3.vol.cz (smtp3.vol.cz [195.250.128.83]) by hub.freebsd.org (Postfix) with ESMTP id E86C537B40D for ; Thu, 16 May 2002 18:39:21 -0700 (PDT) Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106]) by smtp3.vol.cz (8.11.6/8.11.3) with ESMTP id g4H1dIC17042 for ; Fri, 17 May 2002 03:39:18 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <3CE45C64.C940872A@obluda.cz> Date: Fri, 17 May 2002 03:27:00 +0200 From: Dan Lukes X-Sender: "Dan Lukes" X-Mailer: Mozilla 4.79 [en]C-CCK-MCD {FIO} (Windows NT 5.0; U) X-Accept-Language: cs,sk,en,* MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: IPSEC interoperability with Win2K client? References: <3CE42800.2010605@whizcom.se> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lasse Andersson wrote: > > Hi, > > Looking for any information about FreeBSD IPSEC interoperability with > Win2K clients? > +-------+ +------+ +--------+ > |w2k | internet |FBSD | internal network |internal| > |clients|---------------|FW w. |--------------------|hosts | > | | IPSEC |IPSEC | no IPSEC | | > +-------+ +------+ +--------+ You need ESP/tunnel mode for presented configuration, but W2k seems not to support it - at least with IKE (I don't know how about static-configured keys). W2k <-> racoon can maintain ESP/transport mode only. The only solution I know is PPTP covered by IPSEC: +---------+ +--------+ internal +--------+ |w2k | internet |FBSD Fw | network |internal| |clients |---------------------|IPSEC |----------|hosts | |Oakley | PPTP within |racoon | plain IP | | |PPTP VPN | IPSEC ESP/transport |MPD | | | +---------+ +--------+ +--------+ Some notes for you: 1. install all avaiable patches to W2k (windowsupdate.microsoft.com) 2. M$ network client MUST be installed, althought may be disabled 3. W2k don't support aggresive mode negotiation When w2k has know static IP: 4. preshared key or x509 authentication possible When w2k has dynamic IP: 4.1 x509 authentication only 4.2 "generate_policy on" is mandatory in racoon.conf when x509 authentication used: 5. racoon doesn't support CRLs now, so individual revocation of keys isn't possible - all keys signed by approved CA are suitable for communication 6. cert of CA used to sign W2k side keys must be put into racoon's "path certificate" directory with apropriate name (.0, see "x509 -hash -in CAcert.pem") 7. use latest racoon and FreeBSD 4.5-STABLE Example configuration when X509 authentication used: == ESP Transport, X509 authentication ================== ============ FreeBSD with racoon, W2k with dynamic IP == ---- ipsec.conf (for setkey, FreeBSD side) -------- flush; spdflush; ---- ipsec.conf (for setkey) - END ------------------ ---- racoon.conf (for racoon, FreeBSD side) ------- path include "/usr/local/etc/racoon" ; path certificate "/usr/local/etc/racoon" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; my_identifier address; certificate_type x509 "cert.pem" "key.pem"; generate_policy on; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des,des,cast128,blowfish ; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate ; } ---- racoon.conf (for racoon) - END ------------------ On W2k side: Run mmc.exe. Console->[Add/Remove Snap In]->Add Select [IP Security Policy Manager] (Local Computer) and [Certificates] (Local Computer, Computer Account). Add CA certs for both side keys to "Console Root\Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates" (right mouse button, "All tasks->Import") W2k station key and cert (signed by CA) add to "Console Root\Certificates (Local Computer)\Personal\Certificates" You need the key and cert in PKCS12 format to do it. Verify that status is "OK" Now you should create policy, so: [IP Security Policy Manager], New (right button), tell a name, UNCHECK "Activate the default response rule", CHECK "Edit properties". Create new IP Security Rule (Add button). THIS RULE DOES NOT SPECIFY A TUNNEL [All Network Connections], Use a Certificate from this Certificate Authority Browse (select cert of CA used to sign oposite side cert). Go to IP FILTER LISTS, [Add], again [Add], Source Address is "My address" Destination is "specific DNS address" or "specific IP address", protocol = Any, [Finish], [Close]. We are back in "IP filter lists". CHECK created filter then [Next], "Require security" (NOT Optional!), [Next], [Finish], [Close]. We are back in MMC. Use right button on Policy and select "Assign". It should work now (you may want to run IPsecmon.exe monitor). Note, the session is opened "on demand" so you see no association unless you initiate a communication with FreeBSD side. Remember - YOU HAVE NO TUNNEL - but you can configure MPD on FreeBSD together with VPN on W2k to create the tunnel. %SystemRoot%\debug\oakley.log will be created if you set [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Oakley] "EnableLogging"=dword:00000001 "Debug"=dword:000000ff The racoon and W2k IKE still not "plug&work" ready and it isn't reliable. It's necesarry to have some knowledge about IPSEC itself, ISAKMP protocol and X509 keys (if used). The lack of CRL support on racoon side limit the useability a lot in production environment also. Hope it helps. Dan -- Dan Lukes, SISAL, MFF UK tel: +420 2 21914205, fax: +420 2 21914206 AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message