From owner-freebsd-net Wed Jan 30 7:46:59 2002 Delivered-To: freebsd-net@freebsd.org Received: from vinyl.catpipe.net (vinyl.catpipe.net [195.249.214.189]) by hub.freebsd.org (Postfix) with ESMTP id 5E19437B400 for ; Wed, 30 Jan 2002 07:46:50 -0800 (PST) Received: by vinyl.catpipe.net (Postfix, from userid 1006) id F3FDD18F4; Wed, 30 Jan 2002 16:48:13 +0100 (CET) Date: Wed, 30 Jan 2002 16:48:13 +0100 From: Phil Regnauld To: Dennis Pedersen Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipsec, racoon, win2000, certifications, how-to? Message-ID: <20020130164813.N13412@vinyl.catpipe.net> References: <20020127182146.M18351-100000@localhost> <006801c1a73f$ca34f110$0301a8c0@dpws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006801c1a73f$ca34f110$0301a8c0@dpws>; from trm@daydreamer.dk on Sun, Jan 27, 2002 at 03:34:55PM +0100 X-Operating-System: FreeBSD 4.4-STABLE i386 Organization: catpipe Systems ApS Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dennis Pedersen (trm) writes: > > Uhm, you can also use a email add and a password > something@domain.com thekeything > There are a bit about certificates in a kame newsletter, try looking on the > site :) > > How did you solve the setkey setup if the ip adress is dynamic, do you have > an example? That's the problem. See: http://www.google.com/url?sa=U&start=1&q=http://archives.neohapsis.com/archives/freebsd/2000-12/0009.html&e=922 Normally, you use SPDUPDATE messages to the kernel to update the security policy. o Client side -- normally you would use this in the CLIENT racoon.conf: -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- remote IP.OF.MY.OFFICE-GW { [...] my_identifier address; -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- ... to identify yourself using your IP address. Since it's dynamic, we use this instead: my_identifier user_fqdn "userxyz@company.com" ; (could also be an X.509 ASN.1 identifier with a certificate payload -- haven't tried it yet with racoon...) o On the office GW: In psk.txt, you add: userxyz@company.com MyPreSharedKeySecret Then in the racoon.conf, you define a remote anonymous as follows: -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- remote anonymous { [...] passive on; generate_policy on; my_identifier address; -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- Idea: the passive on tells the office GW to listen to requests and never initiate negotiation. Perfect since you don't know the IP address in advance. generate_policy is there to fix that: it will generate a policy (SP) in the SPD dynamically if it the authentication info + PSK (pre shared key) or cert ID matches -- as racoon.conf(5) says: generate_policy (on | off); This directive is for the responder. Therefore you should set passive on in order that racoon(8) only becomes a responder. If the responder does not have any policy in SPD during phase 2 negotiation, and the direc- tive is set on, then racoon(8) will choice the first pro- posal in the SA payload from the initiator, and generate policy entries from the proposal. It is useful to nego- tiate with the client which is allocated IP address dynamically. Unfortunately, this doesn't work. Running racoon -F you will see the server (GW) side complain with something in the form (don't have it in front of me): X_SPDUPDATE: no such file or directory ... and after a short while the phase 1 will time out, with no phase 2 negotiated. And that's it :( So it looks like KAME either doesn't fully implement this or racoon doesn't -- I'm not really sure which, and haven't had time to try with isakmpd yet (ports/net/isakmpd). Any ideas ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message