Re: Questions (Rants?) About IPSEC

From: Rob Frohwein (
Date: 02/07/02

From: "Rob Frohwein" <>
Date: Thu, 7 Feb 2002 14:25:14 -0800

"James F. Hranicky" <jfh@cise.ufl.EDU> wrote in message
> After reading up on IPSEC, I have one major question: Is it really
> a good protocol?
> It may be that I don't understand it well enough, or that the
> implementations I've looked at are lacking in features that I want,
> but it seems to me that it simply isn't a good solution for anything
> more than a small number of users. Here are the problems I have with
> - IPSEC routers don't seem to be able to advertise routes
> for an arbitrary number of networks behind them

I dont understand what you mean here, ipsec doesnt require something special
from routing.

> - IPSEC routers have to basically be the border router for
> a site, as there is no post-decryption NAT protocol to
> get packets back to a router on the inside of the network
> (Apparently, Cisco VPN boxes have this capability, but
> it's an add-on to IPSEC AFAICT).

There are some new RFC's about natting ipsec tunnel packets.
You can only nat tunnel packets because the outer headers are not

> - Clients with dynamic IPs are poorly supported.
Can only be done when using cert authentiaction.

> AFAICT, what I want is to be able to issuce x509 certs to
> any of my remote users for key exchange, and accept any
> cert from any client that was signed by my CA. That's what
> PKI is all about, right? Checking the racoon.conf man pages
> and sample racoon.conf files shows that I need to have the
> client's *private* key for a *specific* IP address.
> o Is this really the case, or am I just wrong here?
Every ipsec endpoint needs own private key + certificate + CA certificate,
thats all.
> o Isn't requiring the server to have the private cert
> key the same as having a shared secret?
Every party needs to have its own private + public key.
> o If I'm not wrong, and cert's private keys are required per
> IP address, is there some problem with the scheme I detailed
> above? As a comparison, isn't the whole point of the
> ssh_known_hosts file to keep only the public keys on the
> remote server? I mean, wouldn't it be great if ssh supported
> x509 certs, obviating the need for even the ssh_known_hosts
> file, as host keys would be signed by the CA?
> Isn't this what we want for IPSEC???

The intention with ipsec is that you dont need all public certs from all
your peers.
You only need (all) Ca certs
If you start a session , the remote party (racoon) sends its cert.
Your local racoon looks if it has a CA cert which has signed your peers
It the verifies the peer cert.
This is also the only way for mobile users.
> In the end, if I go with a FreeBSD racoon or isakmpd solution, am I
> to the following setups ? :
> - One shared secret for all my users in the interest of manageability.
> I can only assume this means any user could theoretically listen in
> on the key exchange and thus be able to decrypt another's IPSEC
> communications
> - Different shared secrets for all users/client machines.
> Key management nightmare.
> - Different x509 certs for all users/client machines.
> See above.
> - GSSAPI Auth .
> Does this even work? Does it work with w2k clients and an MIT
> KDC? If it does, this would probably do what I need for any w2k
> boxes out there, but all the info I read said it didn't work
> with w2k yet. Never mind any other IPSEC client software.
> Is there another VPN solution (mpd-netgraph+PPTP) that would suit my needs
> any better?
> Any enlightenment I can receive that can convince me IPSEC is anything
> more than an alpha-quality protocol that requires vendors (a la Cisco)
> to fix it would be most appreciated. It's entirely possible I have
> no idea what I'm talking about.

You should really first do some tests with ipsec.
I used 2 freebsd machines (inside vmware).
There are numerous examples on the net which clarifies your questions.
I works with win2000 ,
with pre-shared authentication keys , associated with ip addresses.
with cert authentication , associated with x509 names/email addresses.


Rob Frohwein

> ----------------------------------------------------------------------
> | Jim Hranicky, Senior SysAdmin UF/CISE Department |
> | E314D CSE Building Phone (352) 392-1499 |
> | |
> ----------------------------------------------------------------------
> To Unsubscribe: send mail to
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message