From owner-freebsd-security Sun Feb 17 18:44:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.cise.ufl.edu (beach.cise.ufl.edu [128.227.205.211]) by hub.freebsd.org (Postfix) with ESMTP id ACB1637B404 for ; Sun, 17 Feb 2002 18:44:10 -0800 (PST) Received: from cise.ufl.edu (waterspout.cise.ufl.edu [128.227.205.52]) by mail.cise.ufl.edu (Postfix) with ESMTP id CF51069B1 for ; Sun, 17 Feb 2002 21:44:08 -0500 (EST) To: security@freebsd.org Subject: Dynamic-IP IPSEC support with racoon (was Re: Questions (Rants?) ...) X-mailer: nmh-1.0.3/vi Date: Sun, 17 Feb 2002 21:44:08 -0500 From: "James F. Hranicky" Message-Id: <20020218024408.CF51069B1@mail.cise.ufl.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, after cooling down from my rant, it seems I've been able to get dynamic IP IPSEC support working with racoon and x509 certs. Currently, I run setkey on the clients like so: spdadd client.X.X.X server.X.X.X any -P out ipsec esp/transport/client.X.X.X-server.X.X.X/use; spdadd server.X.X.X client.X.X.X any -P in ipsec esp/transport/server.X.X.X-client.X.X.X/use; The racoon.conf is at the end of the message. What I'm having trouble with is getting any version of PGPNet or the IPSEC software that comes with w2k to work with the setup. It's hard to determine which has been more frustrating: - with PGPNet, the BSD box actually thought the two had an IPSEC connection established, but PGPNet didn't. Tried 7.0.3 and 7.1 . - with w2k, no matter what I do it doesn't like my certs (error 798: no extensible auth cert found). I've imported my CA cert and the personal cert into the right places (I think (?!?)) using the MMC console, and started up the IPSEC listening service, but no go. Note I have a self-signed CA certs that I generated with OSSL. If anyone can give me pointers on getting IPSEC working on w2k (especially the default w2k stuff), I'd appreciate it. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- -------------------------------- racoon.conf -------------------------------- path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/lib/ssl/certs" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier asn1dn ; certificate_type x509 "cert.pem" "key.pem"; generate_policy on; nonce_size 16; lifetime time 1 hour; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 1 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } -------------------------------- racoon.conf -------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message