Date: Fri, 17 May 2002 03:27:00 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: IPSEC interoperability with Win2K client? Message-ID: <3CE45C64.C940872A@obluda.cz> References: <3CE42800.2010605@whizcom.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Lasse Andersson wrote:
>
> Hi,
>
> Looking for any information about FreeBSD IPSEC interoperability with
> Win2K clients?
> +-------+ +------+ +--------+
> |w2k | internet |FBSD | internal network |internal|
> |clients|---------------|FW w. |--------------------|hosts |
> | | IPSEC |IPSEC | no IPSEC | |
> +-------+ +------+ +--------+
You need ESP/tunnel mode for presented configuration, but W2k seems not
to support it - at least with IKE (I don't know how about
static-configured keys). W2k <-> racoon can maintain ESP/transport mode
only.
The only solution I know is PPTP covered by IPSEC:
+---------+ +--------+ internal +--------+
|w2k | internet |FBSD Fw | network |internal|
|clients |---------------------|IPSEC |----------|hosts |
|Oakley | PPTP within |racoon | plain IP | |
|PPTP VPN | IPSEC ESP/transport |MPD | | |
+---------+ +--------+ +--------+
Some notes for you:
1. install all avaiable patches to W2k (windowsupdate.microsoft.com)
2. M$ network client MUST be installed, althought may be disabled
3. W2k don't support aggresive mode negotiation
When w2k has know static IP:
4. preshared key or x509 authentication possible
When w2k has dynamic IP:
4.1 x509 authentication only
4.2 "generate_policy on" is mandatory in racoon.conf
when x509 authentication used:
5. racoon doesn't support CRLs now, so individual revocation
of keys isn't possible - all keys signed by approved CA are
suitable for communication
6. cert of CA used to sign W2k side keys must be
put into racoon's "path certificate" directory with apropriate
name (<cert. hash>.0, see "x509 -hash -in CAcert.pem")
7. use latest racoon and FreeBSD 4.5-STABLE
Example configuration when X509 authentication used:
== ESP Transport, X509 authentication ==================
============ FreeBSD with racoon, W2k with dynamic IP ==
---- ipsec.conf (for setkey, FreeBSD side) --------
flush;
spdflush;
---- ipsec.conf (for setkey) - END ------------------
---- racoon.conf (for racoon, FreeBSD side) -------
path include "/usr/local/etc/racoon" ;
path certificate "/usr/local/etc/racoon" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main;
doi ipsec_doi;
my_identifier address;
certificate_type x509 "cert.pem" "key.pem";
generate_policy on;
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des,des,cast128,blowfish ;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate ;
}
---- racoon.conf (for racoon) - END ------------------
On W2k side:
Run mmc.exe.
Console->[Add/Remove Snap In]->Add
Select [IP Security Policy Manager] (Local Computer) and [Certificates]
(Local Computer, Computer Account).
Add CA certs for both side keys to
"Console Root\Certificates (Local Computer)\Trusted Root Certification
Authorities\Certificates"
(right mouse button, "All tasks->Import")
W2k station key and cert (signed by CA) add to
"Console Root\Certificates (Local Computer)\Personal\Certificates"
You need the key and cert in PKCS12 format to do it.
Verify that status is "OK"
Now you should create policy, so:
[IP Security Policy Manager], New (right button), tell a name,
UNCHECK "Activate the default response rule", CHECK "Edit properties".
Create new IP Security Rule (Add button).
THIS RULE DOES NOT SPECIFY A TUNNEL
[All Network Connections],
Use a Certificate from this Certificate Authority
Browse (select cert of CA used to sign oposite side cert).
Go to IP FILTER LISTS, [Add], again [Add],
Source Address is "My address"
Destination is "specific DNS address" or "specific IP address",
protocol = Any, [Finish], [Close].
We are back in "IP filter lists". CHECK created filter then [Next],
"Require security" (NOT Optional!), [Next], [Finish], [Close].
We are back in MMC.
Use right button on Policy and select "Assign".
It should work now (you may want to run IPsecmon.exe monitor).
Note, the session is opened "on demand" so you see no association
unless you initiate a communication with FreeBSD side.
Remember - YOU HAVE NO TUNNEL - but you can configure
MPD on FreeBSD together with VPN on W2k to create the tunnel.
%SystemRoot%\debug\oakley.log will be created if you set
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Oakley]
"EnableLogging"=dword:00000001
"Debug"=dword:000000ff
The racoon and W2k IKE still not "plug&work" ready and it isn't
reliable. It's necesarry to have some knowledge about IPSEC itself,
ISAKMP protocol and X509 keys (if used). The lack of CRL support
on racoon side limit the useability a lot in production environment
also.
Hope it helps.
Dan
--
Dan Lukes, SISAL, MFF UK tel: +420 2 21914205, fax: +420 2 21914206
AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CE45C64.C940872A>