Date: Fri, 12 Jan 2001 11:05:40 -0800 From: Boris <koester@x-itec.de> To: Jorge Peixoto Vasquez <jorge@aker.com.br> Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: IPSEC: racoon and Win2K Message-ID: <1322983510.20010112110540@x-itec.de> In-Reply-To: <3A5B6E27.5787D716@aker.com.br> References: <3A5B6E27.5787D716@aker.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Jorge, Tuesday, January 09, 2001, 12:01:43 PM, you wrote: JPV> I've read the mini-howto on how to setup IPSEC on the FreeBSD JPV> (http://asherah.dyndns.org/~josh/ipsec-howto.txt) and have been most JPV> succesful so far. Thanks for reading our IPSEC-MINI-HOWTO. JPV> The only problem I've encountered is that, when making Win2K and FreeBSD JPV> interoperate, the IKE's phase 2 only suceeds if JPV> Win2K initiates the process. If racoon is to start it, Win2k will not JPV> accept any proposal for phase 2, complaining that the dh group number I needed a connection from Win2k as initiator to my FreeBSD development server (FTP,CVS and so on) at the time of writing the win2k portability with FreeBSD. I never tested the way to connect from the bsd box to win2k, because the bsd box should never initiate the connection first. This way has some nice security advantages, too. I think its time to update the HOWTO soon. Until then, I will follow the comments on this list to collect some material for it and if I am using one or two things of someone of this list, the person will be named in the tutorial, of course. I am planning a SGML Version of the howto (DocBook 4.1 SGML) and to write some more background informations how everything works. I asked Josh about the idea, but until today I get no answer - maybe he is very busy at the moment. However, I will start updating the tutorial soon to make some things clearer. After making the update, I will contact Josh and then I will post a notification here. The most questions the people sent to me where always like these: * they contacted us first: (they should first ask the list *ggg) * phase commit errors: (no encryption pack installed) * misunderstandings about esp, why not to use ssh * how to create ssl certificates and how to use them with ipsec/ike ... I will make this things more clearer in the next update of the HOWTO. I will read some comments about the ipsec topic here in the list and after some weeks I will make a nice update, directly to sgml format that it can be read as html book. JPV> (which should correctly be either 1 or 2) received is 1 or 2 (depending JPV> on the pfs_group setting in racoon.conf) and not null(0). If I try JPV> setting pfs_group to null, I get a parse error. It takes some time to find a qualified solution to me, because I am writing and maintaining the HOWTO in my free time. I will try to find a solution, if you can explain my why to establish the connection from the bsd box first. JPV> All the docs I found in the kame site (www.kame.net), the handbook, and JPV> the man pages haven't been of any help too. We will see what we can do -) JPV> p.s. I am using FreeBSD 4.2-Stable, racoon 20001111a and (YES) I got the JPV> high-encryption pack and SP1 installed on the Win2K box. Ok thats very good and very important. -- Boris [MCSE, CNA] ................................................................... X-ITEC : Consulting * Programming * Net-Security * Crypto-Research ........: [PRIVATE ADDRESS:] : Boris Köster eMail koester@x-itec.de http://www.x-itec.de : Grüne 33-57368 Lennestadt Germany Tel: +49 (0)2721 989400 : 101 PERFECTION - SECURITY - STABILITY - FUNCTIONALITY ........:.......................................................... Everything I am writing is (c) by Boris Köster and may not be rewritten or distributed in any way without my permission. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1322983510.20010112110540>