Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Nov 2001 14:10:45 +0900
From:      Shoichi Sakane <sakane@kame.net>
To:        icb-bsd@wi.rr.com
Cc:        rsmith@vetx.com, freebsd-net@FreeBSD.ORG
Subject:   Re: Re[2]: IPSEC / RAPTOR Firewall Interaction
Message-ID:  <20011116141045I.sakane@kame.net>
In-Reply-To: Your message of "Thu, 15 Nov 2001 22:20:47 -0600" <73629279173.20011115222047@wi.rr.com>
References:  <73629279173.20011115222047@wi.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
--NextPart-20011116140450-0056100
Content-Type: Text/Plain; charset=us-ascii

> What about info in regards to running a FreeBSD IPSEC server (racoon)
> with DHCP clients (road warriors)?  I haven't seen anything about that...is it
> possible?  If so...any links to info? Thanks in advance.

racoon can exchange SAs in such a scenario by using "generate_policy"
directive.  but there is no documentation.  the only one is probably
racoon.conf(5).  you know there are some scenario about "road warriors".
also, IKE and IPsec have many tweaks.  so there are some solutions to
solve scenarios.  here is one of them.

i'm using a laptop PC and the ip address is assigned dynamically.
i access to the mail server from my laptop.  i only use the ipsec
transport mode.  i use certificates because this is the way to solve
the scenario with IKE main mode.  i attach my configuration to this mail.

1. racoon.conf in the laptop.
2. policy parameter in the laptop.
3. racoon.conf in the server.
no need server's policy configuration.

it hope it help you.

regards,

--NextPart-20011116140450-0056100
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="racoon-client.conf"

# $KAME: racoon.conf.sample,v 1.21 2000/12/17 21:17:53 sakane Exp $

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/certs" ;

remote anonymous
{
	exchange_mode main,aggressive,base;

	my_identifier user_fqdn "sakane@tanu.org";
	peers_identifier fqdn "mine.kame.net";
	certificate_type x509
		"/usr/home/sakane/etc/certs/sigby-ssh.cert"
		"/usr/home/sakane/etc/certs/privkey" ;

	lifetime time 60 min ;
	proposal_check obey;

	# phase 1 proposal (for ISAKMP SA)
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method rsasig ;
		dh_group 2 ;
	}
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig ;
		dh_group 2 ;
	}
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}
}

sainfo anonymous
{
	pfs_group 2;
	lifetime time 30 min ;
	encryption_algorithm aes, 3des, cast128, blowfish ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}

--NextPart-20011116140450-0056100
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="policy-client.conf"

spdflush;

spdadd  ::/0[53] ::/0 any -P in none;
spdadd  ::/0 ::/0[53] any -P out none;
spdadd  ::/0 ::/0 any -P out ipsec esp/transport//use;
spdadd  ::/0 ::/0 any -P in ipsec esp/transport//use;
spdadd  0.0.0.0/0[53] 0.0.0.0/0 any -P in none;
spdadd  0.0.0.0/0 0.0.0.0/0[53] any -P out none;
spdadd  0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/transport//use;
spdadd  0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/transport//use;

--NextPart-20011116140450-0056100
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="racoon-server.conf"

# $KAME: racoon.conf.sample,v 1.21 2000/12/17 21:17:53 sakane Exp $

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/certs" ;

remote anonymous
{
	exchange_mode main,aggressive,base;

	my_identifier fqdn "mine.kame.net";
	peers_identifier user_fqdn "sakane@tanu.org";
	certificate_type x509 "cert-signed-by-ssh.pem" "privkey.pem" ;

	lifetime time 15 min ;  # sec,min,hour
	proposal_check obey;

	generate_policy on;
	passive on;

	# phase 1 proposal (for ISAKMP SA)
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method rsasig ;
		dh_group 2 ;
	}
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig ;
		dh_group 2 ;
	}
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}
}

sainfo anonymous
{
	pfs_group 2;
	lifetime time 5 min ;
	encryption_algorithm aes, 3des, cast128, blowfish ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}

--NextPart-20011116140450-0056100--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011116141045I.sakane>