From owner-freebsd-security  Thu May 16 18:39:38 2002
Delivered-To: freebsd-security@freebsd.org
Received: from smtp3.vol.cz (smtp3.vol.cz [195.250.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id E86C537B40D
	for <freebsd-security@freebsd.org>; Thu, 16 May 2002 18:39:21 -0700 (PDT)
Received: from obluda.cz (xkulesh.vol.cz [195.250.154.106])
	by smtp3.vol.cz (8.11.6/8.11.3) with ESMTP id g4H1dIC17042
	for <freebsd-security@freebsd.org>; Fri, 17 May 2002 03:39:18 +0200 (CEST)
	(envelope-from dan@obluda.cz)
Message-ID: <3CE45C64.C940872A@obluda.cz>
Date: Fri, 17 May 2002 03:27:00 +0200
From: Dan Lukes <dan@obluda.cz>
X-Sender: "Dan Lukes" <dan@smtp.vol.cz>
X-Mailer: Mozilla 4.79 [en]C-CCK-MCD {FIO}  (Windows NT 5.0; U)
X-Accept-Language: cs,sk,en,*
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Re: IPSEC interoperability with Win2K client?
References: <3CE42800.2010605@whizcom.se>
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Lasse Andersson wrote:
> 
> Hi,
> 
> Looking for any information about FreeBSD IPSEC interoperability with
> Win2K clients?

> +-------+               +------+                    +--------+
> |w2k    |    internet   |FBSD  |  internal network  |internal|
> |clients|---------------|FW w. |--------------------|hosts   |
> |       |     IPSEC     |IPSEC |       no IPSEC     |        |
> +-------+               +------+                    +--------+

	You need ESP/tunnel mode for presented configuration, but W2k seems not
to support it - at least with IKE (I don't know how about
static-configured keys). W2k <-> racoon can maintain ESP/transport mode
only. 

	The only solution I know is PPTP covered by IPSEC:

+---------+                     +--------+ internal +--------+
|w2k      |   internet          |FBSD Fw | network  |internal|
|clients  |---------------------|IPSEC   |----------|hosts   |
|Oakley   | PPTP within         |racoon  | plain IP |        |
|PPTP VPN | IPSEC ESP/transport |MPD     |          |        |
+---------+                     +--------+          +--------+

	Some notes for you:
1. install all avaiable patches to W2k (windowsupdate.microsoft.com)
2. M$ network client MUST be installed, althought may be disabled
3. W2k don't support aggresive mode negotiation

When w2k has know static IP:
4. preshared key or x509 authentication possible


When w2k has dynamic IP:
4.1 x509 authentication only
4.2 "generate_policy on" is mandatory in racoon.conf

when x509 authentication used:
5. racoon doesn't support CRLs now, so individual revocation 
   of keys isn't possible - all keys signed by approved CA are 
   suitable for communication
6. cert of CA used to sign W2k side keys must be 
   put into racoon's "path certificate" directory with apropriate 
   name (<cert. hash>.0, see "x509 -hash -in CAcert.pem")
7. use latest racoon and FreeBSD 4.5-STABLE

Example configuration when X509 authentication used:
== ESP Transport, X509 authentication  ==================
============ FreeBSD with racoon, W2k with dynamic IP  ==

---- ipsec.conf (for setkey, FreeBSD side) --------
flush;
spdflush;
---- ipsec.conf (for setkey) - END ------------------

---- racoon.conf (for racoon, FreeBSD side) -------
path include "/usr/local/etc/racoon" ;
path certificate "/usr/local/etc/racoon" ;
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 15 sec;
}
remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;
        my_identifier address;
        certificate_type x509 "cert.pem" "key.pem";
        generate_policy on;
        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des,des,cast128,blowfish ;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate ;
}
---- racoon.conf (for racoon) - END ------------------

On W2k side:
Run mmc.exe.

Console->[Add/Remove Snap In]->Add
Select [IP Security Policy Manager] (Local Computer) and [Certificates] 
(Local Computer, Computer Account).

Add CA certs for both side keys to 
"Console Root\Certificates (Local Computer)\Trusted Root Certification
Authorities\Certificates" 
(right mouse button, "All tasks->Import")

W2k station key and cert (signed by CA) add to 
"Console Root\Certificates (Local Computer)\Personal\Certificates"
You need the key and cert in PKCS12 format to do it.
Verify that status is "OK"

Now you should create policy, so:
[IP Security Policy Manager], New (right button), tell a name, 
UNCHECK "Activate the default response rule", CHECK "Edit properties". 
Create new IP Security Rule (Add button). 
THIS RULE DOES NOT SPECIFY A TUNNEL
[All Network Connections], 
Use a Certificate from this Certificate Authority
Browse (select cert of CA used to sign oposite side cert). 
Go to IP FILTER LISTS, [Add], again [Add], 
Source Address is "My address"
Destination is "specific DNS address" or "specific IP address", 
protocol = Any, [Finish], [Close]. 
We are back in "IP filter lists". CHECK created filter then [Next], 
"Require security" (NOT Optional!), [Next], [Finish], [Close]. 

We are back in MMC. 
Use right button on Policy and select "Assign". 

It should work now (you may want to run IPsecmon.exe monitor). 
Note, the session is opened "on demand" so you see no association 
unless you initiate a communication with FreeBSD side. 
Remember - YOU HAVE NO TUNNEL - but you can configure 
MPD on FreeBSD together with VPN on W2k to create the tunnel.

%SystemRoot%\debug\oakley.log will be created if you set
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Oakley]
"EnableLogging"=dword:00000001
"Debug"=dword:000000ff


	The racoon and W2k IKE still not "plug&work" ready and it isn't
reliable. It's necesarry to have some knowledge about IPSEC itself,
ISAKMP protocol and X509 keys (if used). The lack of CRL support 
on racoon side limit the useability a lot in production environment 
also.


				Hope it helps.

 

						Dan

-- 
Dan Lukes,  SISAL, MFF UK  tel: +420 2 21914205, fax: +420 2 21914206
AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message