From owner-freebsd-security  Sat Jul 20 17:35:21 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id EF66137B400; Sat, 20 Jul 2002 17:35:11 -0700 (PDT)
Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7D14343E5E; Sat, 20 Jul 2002 17:35:11 -0700 (PDT)
	(envelope-from chris.scott@uk.tiscali.com)
Received: from mk-fw-1.router.uk.worldonline.com ([212.74.112.53] helo=viper)
	by internal.mail.telinco.net with smtp (Exim 3.22 #1)
	id 17W4gn-000MVL-00; Sun, 21 Jul 2002 01:35:09 +0100
Message-ID: <00a401c2304e$7762c820$a4102c0a@viper>
From: "chris scott" <chris.scott@uk.tiscali.com>
To: <admin@gbinetwork.com>
Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-questions@FreeBSD.ORG>
References: <008501c2304c$59fbd800$a4102c0a@viper> <1048.68.49.119.89.1027211092.squirrel@webmail.xinu.com>
Subject: Re: roaming ipsec policies and racoon
Date: Sun, 21 Jul 2002 01:35:08 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

yes it does I believe. I have not looked into this ye thought, does this
mean I have to have a proper one from an authority that will cost me and arm
and a leg?

----- Original Message -----
From: "James Bristle" <admin@gbinetwork.com>
To: <chris.scott@uk.tiscali.com>
Sent: Sunday, July 21, 2002 1:24 AM
Subject: Re: roaming ipsec policies and racoon


> does windows support certs ?
>
>
> > Hi,
> >
> > I am currently trying playing with IPSEC and racoon to provide a secure
> > services for my users. They all use either freebsd or windows 2k/XP
> > clients. They unfortunately all have dynamic ips 8(. I have
> > successfully configured the ipsec policies and have got round the
> > dynamic IP problem with the freebsd clients by using  racoons peer and
> > my identifier  features to initiate the shared key communication. This
> > all works fine. However I don't know how to do the same thing with
> > windows 2000/XP. I can setup the ipsec policies on the clients easily
> > enough, as I can the preshared key. I have no idea how to set the
> > identifiers though. Without this racoon doesn't match a key on the
> > psk.txt file as it uses the hosts ip rather than whatever@this.com and
> > hence fails the key exchange. Has anyone got any clues to point me in
> > the correct direction?
> >
> > sample og the severs racoon conf
> >
> > remote anonymous
> > {
> >        #exchange_mode main,aggressive;
> >        exchange_mode aggressive,main;
> >        doi ipsec_doi;
> >        situation identity_only;
> >
> >        #my_identifier address;
> >        my_identifier user_fqdn "random@wirdo.com";
> >        peers_identifier user_fqdn "grebbit@wolly.com";
> >        #certificate_type x509 "mycert" "mypriv";
> >
> >        nonce_size 16;
> >        lifetime time 1 hour;   # sec,min,hour
> >        initial_contact on;
> >        support_mip6 on;
> >        proposal_check obey;    # obey, strict or claim
> >
> >        proposal {
> >                encryption_algorithm 3des;
> >                hash_algorithm sha1;
> >                authentication_method pre_shared_key ;
> >                dh_group 2 ;
> >        }
> > }
> >
> > corresponding psk entry
> > grebbit@wolly.com myrandomkey
> >
> >
> > sample of freebsd clients racoon config
> >
> > remote anonymous
> > {
> >        #exchange_mode main,aggressive;
> >        exchange_mode aggressive,main;
> >        doi ipsec_doi;
> >        situation identity_only;
> >
> >        #my_identifier address;
> >        my_identifier user_fqdn grebbit@wolly.com;
> >        peers_identifier user_fqdn "random@wirdo.com";
> >        #certificate_type x509 "mycert" "mypriv";
> >
> >        nonce_size 16;
> >        lifetime time 1 hour;   # sec,min,hour
> >        initial_contact on;
> >        support_mip6 on;
> >        proposal_check obey;    # obey, strict or claim
> >
> >        proposal {
> >                encryption_algorithm 3des;
> >                hash_algorithm sha1;
> >                authentication_method pre_shared_key ;
> >                dh_group 2 ;
> >        }
> > }
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > regards
> >
> >
> > Chris Scott
> >
> >
> > IMPORTANT NOTICE:
> > This email may be confidential, may be legally privileged, and is for
> > the intended recipient only.  Access, disclosure, copying,
> > distribution, or reliance on any of it by anyone else is prohibited and
> > may be a criminal offence.  Please delete if obtained in error and
> > email confirmation to the sender.
>
>
>
>
>
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message