From owner-freebsd-security@FreeBSD.ORG Wed May 7 21:04:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E47337B401 for ; Wed, 7 May 2003 21:04:46 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB02843F85 for ; Wed, 7 May 2003 21:04:45 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA25687; Wed, 7 May 2003 22:04:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030507220032.00bcec10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 07 May 2003 22:04:32 -0600 To: Michael Collette , FreeBSD Security From: Brett Glass In-Reply-To: <200305071921.33596.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 04:04:47 -0000 I've been using PPTP for this purpose. Microsoft's PPTP implementation is pretty brain dead, but if you're willing to bend the configuration of your network a little to accommodate it and configure your clients carefully, you can set up a VPN that's accessible from most versions of Windows. Not super-secure, but secure enough for most purposes. I have been interested in trying L2TP, but am not sure about the stability of the server software for FreeBSD. And I can't find a FreeBSD client. (There's an L2TP netgraph node, but there are no docs on how to use it with mpd and likewise nothing on how to use it with userland PPP.) --Brett At 08:21 PM 5/7/2003, Michael Collette wrote: >Scenario: >FreeBSD box running IPFW acting as a gateway to private network. The private >network is made up of entirely routeable IP addresses. External users >running Win2k and XP on DSL connections with dynamic IPs. > >Goal: >To have the FreeBSD gateway securely authenticate and encrypt the traffic >between the outside users and the internal network. > > >I've spent the last 3 days running up and down Google and reading any books >that approach the subject of setting up a VPN. The further down this road >I've travelled the more confused I am. > >I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > >I happened across the Google cache of a tutorial that seems to cover this >subject. There seems to be a couple of key points missing, as well as some >apparently out of date syntax. I did manage to create a CA and client cert >from a mix of this tutorial and the AbsoluteBSD book. > >http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > >Managed to get a certificate generated from that process installed on a test >XP box per the following... > >http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > >Where I totally lost it was on the FreeBSD setup. The author is referring to >certificates that he never described how they should be created. I didn't >know what in the heck to do here. > >http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > >Am I even on the right path? Aside from this one tutorial I've been through >several others, as well as looking at a variety of IPSec related pages. >There's obviously a number of different approaches out there to take, but I'm >simply looking for one that works. Just to know that I'm heading in the >correct direction or not would be an incredible help. > >Thanks, >-- >"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark >to read." > - Groucho Marx >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"