From owner-freebsd-security@FreeBSD.ORG  Thu May  8 05:26:39 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5548E37B401
	for <freebsd-security@freebsd.org>;
	Thu,  8 May 2003 05:26:39 -0700 (PDT)
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7E89D43F93
	for <freebsd-security@freebsd.org>;
	Thu,  8 May 2003 05:26:38 -0700 (PDT)
	(envelope-from nectar@celabo.org)
Received: from madman.celabo.org (madman.celabo.org [10.0.1.111])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK))
	by gw.nectar.cc (Postfix) with ESMTP
	id 0E47154839; Thu,  8 May 2003 07:26:38 -0500 (CDT)
Received: by madman.celabo.org (Postfix, from userid 1001)
	id 9BB6E6D461; Thu,  8 May 2003 07:26:37 -0500 (CDT)
Date: Thu, 8 May 2003 07:26:37 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Michael Collette <metrol@metrol.net>
Message-ID: <20030508122637.GA97715@madman.celabo.org>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Michael Collette <metrol@metrol.net>,
	FreeBSD Security <freebsd-security@freebsd.org>
References: <200305071921.33596.metrol@metrol.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200305071921.33596.metrol@metrol.net>
X-Url: http://www.celabo.org/
User-Agent: Mutt/1.5.3i-ja.1
cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: VPN through BSD for Win2k, totally baffled
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2003 12:26:39 -0000

On Wed, May 07, 2003 at 07:21:33PM -0700, Michael Collette wrote:
> Scenario:
> FreeBSD box running IPFW acting as a gateway to private network.  The private 
> network is made up of entirely routeable IP addresses.  External users 
> running Win2k and XP on DSL connections with dynamic IPs.
[...]
> Where I totally lost it was on the FreeBSD setup.  The author is referring to 
> certificates that he never described how they should be created.  I didn't 
> know what in the heck to do here.
[...]

It's hard to tell from your message where you are getting lost, but I'll
give it a shot.  Assuming you have all your certificates (let's call
them client.crt/client.key, server.crt/server.key, and ca-local.crt):

 (1) Add a `path certificate' directive to racoon.conf, e.g.
       path certificate "/usr/local/etc/racoon/cert" ;

 (2) Create that directory

 (3) Store your CA's certficate in that directory in PEM format, e.g.
     /usr/local/etc/racoon/cert/ca-local.pem.

 (4) Create a symlink in that directory based on the CA cert's hash,
     e.g.
       cd /usr/local/etc/racoon/cert
       ln -s ca-local.pem `openssl x509 -noout -hash -in ca-local.pem`.0

Heh, I found some pages that might be useful to you while I was Google'ing
to double-check my openssl syntax:

<URL: http://www.kame.net/newsletter/20001119b/ >
<URL: http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html?page=2 >

Hope this helps,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se