Date: Sun, 21 Jul 2002 01:35:08 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: <admin@gbinetwork.com> Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-questions@FreeBSD.ORG> Subject: Re: roaming ipsec policies and racoon Message-ID: <00a401c2304e$7762c820$a4102c0a@viper> References: <008501c2304c$59fbd800$a4102c0a@viper> <1048.68.49.119.89.1027211092.squirrel@webmail.xinu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
yes it does I believe. I have not looked into this ye thought, does this
mean I have to have a proper one from an authority that will cost me and arm
and a leg?
----- Original Message -----
From: "James Bristle" <admin@gbinetwork.com>
To: <chris.scott@uk.tiscali.com>
Sent: Sunday, July 21, 2002 1:24 AM
Subject: Re: roaming ipsec policies and racoon
> does windows support certs ?
>
>
> > Hi,
> >
> > I am currently trying playing with IPSEC and racoon to provide a secure
> > services for my users. They all use either freebsd or windows 2k/XP
> > clients. They unfortunately all have dynamic ips 8(. I have
> > successfully configured the ipsec policies and have got round the
> > dynamic IP problem with the freebsd clients by using racoons peer and
> > my identifier features to initiate the shared key communication. This
> > all works fine. However I don't know how to do the same thing with
> > windows 2000/XP. I can setup the ipsec policies on the clients easily
> > enough, as I can the preshared key. I have no idea how to set the
> > identifiers though. Without this racoon doesn't match a key on the
> > psk.txt file as it uses the hosts ip rather than whatever@this.com and
> > hence fails the key exchange. Has anyone got any clues to point me in
> > the correct direction?
> >
> > sample og the severs racoon conf
> >
> > remote anonymous
> > {
> > #exchange_mode main,aggressive;
> > exchange_mode aggressive,main;
> > doi ipsec_doi;
> > situation identity_only;
> >
> > #my_identifier address;
> > my_identifier user_fqdn "random@wirdo.com";
> > peers_identifier user_fqdn "grebbit@wolly.com";
> > #certificate_type x509 "mycert" "mypriv";
> >
> > nonce_size 16;
> > lifetime time 1 hour; # sec,min,hour
> > initial_contact on;
> > support_mip6 on;
> > proposal_check obey; # obey, strict or claim
> >
> > proposal {
> > encryption_algorithm 3des;
> > hash_algorithm sha1;
> > authentication_method pre_shared_key ;
> > dh_group 2 ;
> > }
> > }
> >
> > corresponding psk entry
> > grebbit@wolly.com myrandomkey
> >
> >
> > sample of freebsd clients racoon config
> >
> > remote anonymous
> > {
> > #exchange_mode main,aggressive;
> > exchange_mode aggressive,main;
> > doi ipsec_doi;
> > situation identity_only;
> >
> > #my_identifier address;
> > my_identifier user_fqdn grebbit@wolly.com;
> > peers_identifier user_fqdn "random@wirdo.com";
> > #certificate_type x509 "mycert" "mypriv";
> >
> > nonce_size 16;
> > lifetime time 1 hour; # sec,min,hour
> > initial_contact on;
> > support_mip6 on;
> > proposal_check obey; # obey, strict or claim
> >
> > proposal {
> > encryption_algorithm 3des;
> > hash_algorithm sha1;
> > authentication_method pre_shared_key ;
> > dh_group 2 ;
> > }
> > }
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > regards
> >
> >
> > Chris Scott
> >
> >
> > IMPORTANT NOTICE:
> > This email may be confidential, may be legally privileged, and is for
> > the intended recipient only. Access, disclosure, copying,
> > distribution, or reliance on any of it by anyone else is prohibited and
> > may be a criminal offence. Please delete if obtained in error and
> > email confirmation to the sender.
>
>
>
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a401c2304e$7762c820$a4102c0a>