Re: Questions (Rants?) About IPSEC

From: James F. Hranicky (jfh@cise.ufl.edu)
Date: 02/08/02


To: security@freebsd.org
Date: Thu, 07 Feb 2002 20:30:24 -0500
From: "James F. Hranicky" <jfh@cise.ufl.edu>


"James F. Hranicky" <jfh@cise.ufl.EDU> wrote in message
news:list.freebsd.security#20020207163347.51C606B29@mail.cise.ufl.edu...

> I dont understand what you mean here, ipsec doesnt require something special
> from routing.

Hmmm...well, what I'd like is to be able to query the router for the
nets that are behind it, and automagically add those to the IPSEC
config.
 
> There are some new RFC's about natting ipsec tunnel packets.
> You can only nat tunnel packets because the outer headers are not
> authenticated.

I mean NATting them after decryption, so they can find their way back
to an arbitrary IPSEC router within the internal net and not go back
out the border router due to the outside source address. I sent a
post detailing this a couple of weeks ago. ("IPSEC into network behind
the primary router", 1/17/02)

> > o Is this really the case, or am I just wrong here? > Every ipsec
endpoint needs own private key + certificate + CA certificate, > thats
all.

Great! What a relief. I guess I've had a hard time understanding racoon.conf .

> The intention with ipsec is that you dont need all public certs from all
> your peers.
> You only need (all) Ca certs
> If you start a session , the remote party (racoon) sends its cert.
> Your local racoon looks if it has a CA cert which has signed your peers
> cert.
> It the verifies the peer cert.
> This is also the only way for mobile users.

Ok, great.

> You should really first do some tests with ipsec.
> I used 2 freebsd machines (inside vmware).
> There are numerous examples on the net which clarifies your questions.
> I works with win2000 ,
> with pre-shared authentication keys , associated with ip addresses.
> with cert authentication , associated with x509 names/email addresses.

Awesome. I've been searching the 'net for quite a while, but the docs
I've found seemed on the terse side. I'll give it a go and see what
happens. I have been able to get simple transport mode + shared secrets
working, so now I'll try out the certs.

Thanks a ton!

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: ipsec with certificate authentication issue
    ... I added the offline ipsec cert template one my ... CA and installed one on both client and server. ... chose to download the .cer file for the CA's certificate and manually ...
    (microsoft.public.win2000.security)
  • Re: Questions (Rants?) About IPSEC
    ... > After reading up on IPSEC, I have one major question: ... as there is no post-decryption NAT protocol to ... Can only be done when using cert authentiaction. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: Questions (Rants?) About IPSEC
    ... > After reading up on IPSEC, I have one major question: ... as there is no post-decryption NAT protocol to ... Can only be done when using cert authentiaction. ... Every ipsec endpoint needs own private key + certificate + CA certificate, ...
    (FreeBSD-Security)
  • Re: Questions (Rants?) About IPSEC
    ... > I dont understand what you mean here, ... what I'd like is to be able to query the router for the ... and automagically add those to the IPSEC ... > If you start a session, the remote party sends its cert. ...
    (FreeBSD-Security)
  • Re: How safe us my wireless network
    ... -) I've set an obscure password for the router. ... because the payload isn't encrypted anymore. ... IPSec works on Layer IP your tcp packet is encrypted and if you use AH ...
    (comp.security.firewalls)