Date: Sun, 17 Feb 2002 21:44:08 -0500 From: "James F. Hranicky" <jfh@cise.ufl.edu> To: security@freebsd.org Subject: Dynamic-IP IPSEC support with racoon (was Re: Questions (Rants?) ...) Message-ID: <20020218024408.CF51069B1@mail.cise.ufl.edu>
next in thread | raw e-mail | index | archive | help
Well, after cooling down from my rant, it seems I've been able to
get dynamic IP IPSEC support working with racoon and x509 certs.
Currently, I run setkey on the clients like so:
spdadd client.X.X.X server.X.X.X any -P out ipsec
esp/transport/client.X.X.X-server.X.X.X/use;
spdadd server.X.X.X client.X.X.X any -P in ipsec
esp/transport/server.X.X.X-client.X.X.X/use;
The racoon.conf is at the end of the message.
What I'm having trouble with is getting any version of PGPNet or the
IPSEC software that comes with w2k to work with the setup. It's hard
to determine which has been more frustrating:
- with PGPNet, the BSD box actually thought the two had an IPSEC
connection established, but PGPNet didn't. Tried 7.0.3 and 7.1 .
- with w2k, no matter what I do it doesn't like my certs (error
798: no extensible auth cert found). I've imported my CA cert
and the personal cert into the right places (I think (?!?))
using the MMC console, and started up the IPSEC listening
service, but no go.
Note I have a self-signed CA certs that I generated with OSSL.
If anyone can give me pointers on getting IPSEC working on w2k (especially
the default w2k stuff), I'd appreciate it.
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
-------------------------------- racoon.conf --------------------------------
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/lib/ssl/certs" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn ;
certificate_type x509 "cert.pem" "key.pem";
generate_policy on;
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 1 hour;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
-------------------------------- racoon.conf --------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020218024408.CF51069B1>