Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Nov 2007 03:14:04 -0800 (PST)
From:      john decot <johndecot@yahoo.com>
To:        freebsd-security@freebsd.org
Subject:   IPSEC help 
Message-ID:  <199790.94058.qm@web55411.mail.re4.yahoo.com>
next in thread | raw e-mail | index | archive | help 
Hi,

        I am new to ipsec and trying to connect my bsd server with win 2000. I have succeeded to tunnel using pre-shared key. But regarding certificate , I failed to get success.

      The following are configuration :

racoon.conf

path certificate "/usr/local/openssl/certs" ;

# "log" specifies logging level.  It is followed by either "notify",
 "debug"
# or "debug2".
log debug;

remote anonymous
{
    exchange_mode main,aggressive,base;
    #exchange_mode main,base;
        my_identifier asn1dn;
    peers_identifier asn1dn;
    
    certificate_type x509 "bsd.public" "bsd.priv" ;

    lifetime time 24 hour ;    # sec,min,hour

    #initial_contact off ;
    #passive on ;

    # phase 1 proposal (for ISAKMP SA)
    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method rsasig ;
        dh_group 2 ;
    }

    # the configuration makes racoon (as a responder) to obey the
    # initiator's lifetime and PFS group proposal.
    # this makes testing so much easier.
    proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented
 below
sainfo anonymous
{
#    pfs_group 2;
    lifetime time 12 hour ;
    encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
}

--------------------------END------------------------------------------------------------------
certificate are created in bsd with following commands:


openssl req -new -nodes -newkey rsa:1024 -sha1  -days 1095 -keyout bsd.private -out request.pem
openssl x509 -req -in request.pem -days 1095 -signkey bsd.private -out bsd.public

openssl pkcs12 -export -inkey bsd.private -in bsd.public -out win.p12 -name "win cert"

ln -s bsd.public `openssl x509 -noout -hash -in bsd.public`.0


     I have used win.p12 in windows 2000 prof. box for this process.


   Please anyone help me out to configure it.

Thankyou,

Regards,
John

       
---------------------------------
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199790.94058.qm>