Date: Thu, 07 Feb 2002 20:30:24 -0500 From: "James F. Hranicky" <jfh@cise.ufl.edu> To: security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Message-ID: <20020212021152.079C39F292@okeeffe.bestweb.net>
next in thread | raw e-mail | index | archive | help
"James F. Hranicky" <jfh@cise.ufl.EDU> wrote in message
news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu...
> I dont understand what you mean here, ipsec doesnt require something special
> from routing.
Hmmm...well, what I'd like is to be able to query the router for the
nets that are behind it, and automagically add those to the IPSEC
config.
> There are some new RFC's about natting ipsec tunnel packets.
> You can only nat tunnel packets because the outer headers are not
> authenticated.
I mean NATting them after decryption, so they can find their way back
to an arbitrary IPSEC router within the internal net and not go back
out the border router due to the outside source address. I sent a
post detailing this a couple of weeks ago. ("IPSEC into network behind
the primary router", 1/17/02)
> > o Is this really the case, or am I just wrong here? > Every ipsec
endpoint needs own private key + certificate + CA certificate, > thats
all.
Great! What a relief. I guess I've had a hard time understanding racoon.conf .
> The intention with ipsec is that you dont need all public certs from all
> your peers.
> You only need (all) Ca certs
> If you start a session , the remote party (racoon) sends its cert.
> Your local racoon looks if it has a CA cert which has signed your peers
> cert.
> It the verifies the peer cert.
> This is also the only way for mobile users.
Ok, great.
> You should really first do some tests with ipsec.
> I used 2 freebsd machines (inside vmware).
> There are numerous examples on the net which clarifies your questions.
> I works with win2000 ,
> with pre-shared authentication keys , associated with ip addresses.
> with cert authentication , associated with x509 names/email addresses.
Awesome. I've been searching the 'net for quite a while, but the docs
I've found seemed on the terse side. I'll give it a go and see what
happens. I have been able to get simple transport mode + shared secrets
working, so now I'll try out the certs.
Thanks a ton!
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020212021152.079C39F292>