Date: Fri, 17 May 2002 08:41:57 +0200 From: "Karl M. Joch" <k.joch@kmjeuro.com> To: <freebsd-security@FreeBSD.ORG> Subject: Re: IPSEC interoperability with Win2K client? Message-ID: <0bb801c1fd6e$dfb956e0$01000001@ooe.kmjeuro.com> References: <3CE42800.2010605@whizcom.se> <3CE45C64.C940872A@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
w2k with racoon and ipsec works. but i found out that for most people using win pptp is far more easier to use. the best solution (IMHO) is mpd as pptp dialin server on freebsd. mpd runs very stable and is easy to configure for it. depending on your firewall setup clients can connect and get into the internal net including assigning wins and dns servers for win clients. 128 bit pptp encrryption is recommended to use. -- -- Best regards / Mit freundlichen Gruessen, Karl M. Joch KMJ Consulting - CTS Consulting & Trade Service http://www.kmjeuro.com - http://www.ctseuro.com k.joch@kmjeuro.com - k.joch@ctseuro.com GSM : +43-664-3407888 Unsere Services: http://www.proline.at - Netzwerk und Sicherheitstechnik http://www.eushop.net - Onlineshop und Applikationen einfach mieten http://www.freebsd.at - Power Operating System ----- Original Message ----- From: "Dan Lukes" <dan@obluda.cz> To: <freebsd-security@FreeBSD.ORG> Sent: Friday, May 17, 2002 3:27 AM Subject: Re: IPSEC interoperability with Win2K client? > Lasse Andersson wrote: > > > > Hi, > > > > Looking for any information about FreeBSD IPSEC interoperability with > > Win2K clients? > > > +-------+ +------+ +--------+ > > |w2k | internet |FBSD | internal network |internal| > > |clients|---------------|FW w. |--------------------|hosts | > > | | IPSEC |IPSEC | no IPSEC | | > > +-------+ +------+ +--------+ > > You need ESP/tunnel mode for presented configuration, but W2k seems not > to support it - at least with IKE (I don't know how about > static-configured keys). W2k <-> racoon can maintain ESP/transport mode > only. > > The only solution I know is PPTP covered by IPSEC: > > +---------+ +--------+ internal +--------+ > |w2k | internet |FBSD Fw | network |internal| > |clients |---------------------|IPSEC |----------|hosts | > |Oakley | PPTP within |racoon | plain IP | | > |PPTP VPN | IPSEC ESP/transport |MPD | | | > +---------+ +--------+ +--------+ > > Some notes for you: > 1. install all avaiable patches to W2k (windowsupdate.microsoft.com) > 2. M$ network client MUST be installed, althought may be disabled > 3. W2k don't support aggresive mode negotiation > > When w2k has know static IP: > 4. preshared key or x509 authentication possible > > > When w2k has dynamic IP: > 4.1 x509 authentication only > 4.2 "generate_policy on" is mandatory in racoon.conf > > when x509 authentication used: > 5. racoon doesn't support CRLs now, so individual revocation > of keys isn't possible - all keys signed by approved CA are > suitable for communication > 6. cert of CA used to sign W2k side keys must be > put into racoon's "path certificate" directory with apropriate > name (<cert. hash>.0, see "x509 -hash -in CAcert.pem") > 7. use latest racoon and FreeBSD 4.5-STABLE > > Example configuration when X509 authentication used: > == ESP Transport, X509 authentication ================== > ============ FreeBSD with racoon, W2k with dynamic IP == > > ---- ipsec.conf (for setkey, FreeBSD side) -------- > flush; > spdflush; > ---- ipsec.conf (for setkey) - END ------------------ > > ---- racoon.conf (for racoon, FreeBSD side) ------- > path include "/usr/local/etc/racoon" ; > path certificate "/usr/local/etc/racoon" ; > padding > { > maximum_length 20; # maximum padding length. > randomize off; # enable randomize length. > strict_check off; # enable strict check. > exclusive_tail off; # extract last one octet. > } > timer > { > counter 5; # maximum trying count to send. > interval 20 sec; # maximum interval to resend. > persend 1; # the number of packets per a send. > phase1 30 sec; > phase2 15 sec; > } > remote anonymous > { > exchange_mode main; > doi ipsec_doi; > my_identifier address; > certificate_type x509 "cert.pem" "key.pem"; > generate_policy on; > nonce_size 16; > lifetime time 1 min; # sec,min,hour > initial_contact on; > support_mip6 on; > proposal_check obey; # obey, strict or claim > > proposal { > encryption_algorithm 3des; > hash_algorithm md5; > authentication_method rsasig ; > dh_group 2 ; > } > } > > sainfo anonymous > { > pfs_group 1; > lifetime time 30 sec; > encryption_algorithm 3des,des,cast128,blowfish ; > authentication_algorithm hmac_sha1, hmac_md5; > compression_algorithm deflate ; > } > ---- racoon.conf (for racoon) - END ------------------ > > On W2k side: > Run mmc.exe. > > Console->[Add/Remove Snap In]->Add > Select [IP Security Policy Manager] (Local Computer) and [Certificates] > (Local Computer, Computer Account). > > Add CA certs for both side keys to > "Console Root\Certificates (Local Computer)\Trusted Root Certification > Authorities\Certificates" > (right mouse button, "All tasks->Import") > > W2k station key and cert (signed by CA) add to > "Console Root\Certificates (Local Computer)\Personal\Certificates" > You need the key and cert in PKCS12 format to do it. > Verify that status is "OK" > > Now you should create policy, so: > [IP Security Policy Manager], New (right button), tell a name, > UNCHECK "Activate the default response rule", CHECK "Edit properties". > Create new IP Security Rule (Add button). > THIS RULE DOES NOT SPECIFY A TUNNEL > [All Network Connections], > Use a Certificate from this Certificate Authority > Browse (select cert of CA used to sign oposite side cert). > Go to IP FILTER LISTS, [Add], again [Add], > Source Address is "My address" > Destination is "specific DNS address" or "specific IP address", > protocol = Any, [Finish], [Close]. > We are back in "IP filter lists". CHECK created filter then [Next], > "Require security" (NOT Optional!), [Next], [Finish], [Close]. > > We are back in MMC. > Use right button on Policy and select "Assign". > > It should work now (you may want to run IPsecmon.exe monitor). > Note, the session is opened "on demand" so you see no association > unless you initiate a communication with FreeBSD side. > Remember - YOU HAVE NO TUNNEL - but you can configure > MPD on FreeBSD together with VPN on W2k to create the tunnel. > > %SystemRoot%\debug\oakley.log will be created if you set > [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Oakley] > "EnableLogging"=dword:00000001 > "Debug"=dword:000000ff > > > The racoon and W2k IKE still not "plug&work" ready and it isn't > reliable. It's necesarry to have some knowledge about IPSEC itself, > ISAKMP protocol and X509 keys (if used). The lack of CRL support > on racoon side limit the useability a lot in production environment > also. > > > Hope it helps. > > > > Dan > > -- > Dan Lukes, SISAL, MFF UK tel: +420 2 21914205, fax: +420 2 21914206 > AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0bb801c1fd6e$dfb956e0$01000001>