From owner-freebsd-security Sat Jul 20 17:30:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF4CF37B400; Sat, 20 Jul 2002 17:30:01 -0700 (PDT) Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 614E443E31; Sat, 20 Jul 2002 17:30:01 -0700 (PDT) (envelope-from chris.scott@uk.tiscali.com) Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper) by internal.mail.telinco.net with smtp (Exim 3.22 #1) id 17W4bo-000MLS-00; Sun, 21 Jul 2002 01:30:00 +0100 Message-ID: <009301c2304d$bf21e5c0$a4102c0a@viper> From: "chris scott" To: , Subject: roaming ipsec policies and racoon Date: Sun, 21 Jul 2002 01:29:59 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am currently trying playing with IPSEC and racoon to provide a secure services for my users. They all use either freebsd or windows 2k/XP clients. They unfortunately all have dynamic ips 8(. I have successfully configured the ipsec policies and have got round the dynamic IP problem with the freebsd clients by using racoons peer and my identifier features to initiate the shared key communication. This all works fine. However I don't know how to do the same thing with windows 2000/XP. I can setup the ipsec policies on the clients easily enough, as I can the preshared key. I have no idea how to set the identifiers though. Without this racoon doesn't match a key on the psk.txt file as it uses the hosts ip rather than whatever@this.com and hence fails the key exchange. Has anyone got any clues to point me in the correct direction? sample og the severs racoon conf remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "random@wirdo.com"; peers_identifier user_fqdn "grebbit@wolly.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } corresponding psk entry grebbit@wolly.com myrandomkey sample of freebsd clients racoon config remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn grebbit@wolly.com; peers_identifier user_fqdn "random@wirdo.com"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } regards Chris Scott IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offence. Please delete if obtained in error and email confirmation to the sender. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message