From owner-freebsd-net Tue Nov 21 9:50:21 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.snickers.org (snickers.org [216.126.90.2]) by hub.freebsd.org (Postfix) with ESMTP id 43CAD37B4CF for ; Tue, 21 Nov 2000 09:50:14 -0800 (PST) Received: by mail.snickers.org (Postfix, from userid 66) id 9406A3D35; Tue, 21 Nov 2000 12:50:09 -0500 (EST) Received: by asherah.dyndns.org (Postfix, from userid 701954) id 939A334503; Tue, 21 Nov 2000 12:48:48 -0500 (EST) Date: Tue, 21 Nov 2000 12:48:48 -0500 From: Josh Tiefenbach To: Boris Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPSEC Win2k Message-ID: <20001121124847.F37765@zipperup.org> References: <838997467.20001121113524@x-itec.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <838997467.20001121113524@x-itec.de>; from koester@x-itec.de on Tue, Nov 21, 2000 at 11:35:24AM -0800 Organization: Hah Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I try to setup a connection between my FreeBSD Server > and my Win2k server box. two machines, nothing special. By sheer coincidence, I did this just the other day. > setkey -D -P -c < spdflush; > flush ; > add 192.168.0.99 192.168.0.1 ah 2000 -m transport -A hmac-sha1 "PASSWORD" ; > add 192.168.0.99 192.168.0.1 esp 3000 -m transport -E 3des-cbc "PASSWORD" ; > spdadd 192.168.0.99 192.168.0.1 any -P out ipsec esp/transport/192.168.0.99-192. > 168.0.1/require ; This is the problem. you've set up manual keying on the BSD box. I dont think that Win2k can accept that. Plus, you've only created a policy for outgoing packets, rather than incoming packets. Plus, you dont say which version of FreeBSD you are using. IIRC, only FreeBSD 4.x-STABLE supports IKE (using racoon). Here is a small writeup that I did for someone else on how to have BSD and Win2k talk to each other using IPsec. 1. Get a FreeBSD box, recompile the kernel with the IPsec options, and install the racoon port. 2. On the FreeBSD machine, do the following (presuming that the FreeBSD machine is 1.2.3.4 and the win2k machine is 5.6.7.8) setkey -FP # Note. This and the next line will delete all previous SPD setkey -F # entries. setkey -c << EOF spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec esp/transport/1.2.3.4-5.6.7.8/require; spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec esp/transport/5.6.7.8-1.2.3.4/require; 3. Configure psk.txt and racoon.conf. You shouldnt really need to make any changes to the racoon.conf file from the default, tho I have noticed that increasing the "lifetime time" parameter in the "sainfo anonymous" stanza to something like 3600 seconds, and the "lifetime byte" parameter to 50000 KB improves performance, as you're not swapping keys as often. In the psk.txt file, add the following entry: 5.6.7.8 somelongstringasasharedsecret Make sure that psk.txt is mode 600, owned by root. Start up racoon. 4. On the Win2k machine, fire up a command window, and launch 'mmc'. Go to Console->Add/Remove Snap in. Add the IP Security Policy Management snap-in. 5. Click on IP Security Policies in the tree listing, and then select Action->Create IP Security Policy from the menu. 6. Go thru the wizard. In particular, * Do not activate the default response rule. * Edit the properties. 7. In the properties, click on the Add button to add a new rule. Go thru the wizard, and ensure the following settings: * The rule does not specify a tunnel. * The rule applies to the LAN * Use a string to protect the key exchange. Stick in the same key as you used in the psk.txt file * You'll want to create a new IP filter so that only traffic to the BSD box is subjected to the security policy. Select this new filter. * Select 'Require Security' for the filter action. 8. Select the new policy in the window, and click on the toggle switch icon in the menu bar to activate the policy. 9. Open up a command window, and ping the BSD box. The ping will 'fail' with a message 'Negotiating IP Security'. Another ping should subsequently work. At this point, all IP traffic between the 2 boxes has been secured. josh -- This email has been brought to you by the letters U, U, C, and P To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message