Re: IPSEC interoperability with Win2K client?

From: Karl M. Joch (k.joch@kmjeuro.com)
Date: 05/17/02


From: "Karl M. Joch" <k.joch@kmjeuro.com>
To: <freebsd-security@FreeBSD.ORG>
Date: Fri, 17 May 2002 08:41:57 +0200

w2k with racoon and ipsec works. but i found out that for most people using
win pptp is far more easier to use. the best solution (IMHO) is mpd as pptp
dialin server on freebsd. mpd runs very stable and is easy to configure for
it. depending on your firewall setup clients can connect and get into the
internal net including assigning wins and dns servers for win clients. 128
bit pptp encrryption is recommended to use.

--
--
Best regards / Mit freundlichen Gruessen,
Karl M. Joch
KMJ Consulting - CTS Consulting & Trade Service
http://www.kmjeuro.com - http://www.ctseuro.com
k.joch@kmjeuro.com - k.joch@ctseuro.com
GSM : +43-664-3407888
Unsere Services:
http://www.proline.at - Netzwerk und Sicherheitstechnik
http://www.eushop.net - Onlineshop und Applikationen einfach mieten
http://www.freebsd.at - Power Operating System
----- Original Message -----
From: "Dan Lukes" <dan@obluda.cz>
To: <freebsd-security@FreeBSD.ORG>
Sent: Friday, May 17, 2002 3:27 AM
Subject: Re: IPSEC interoperability with Win2K client?
> Lasse Andersson wrote:
> >
> > Hi,
> >
> > Looking for any information about FreeBSD IPSEC interoperability with
> > Win2K clients?
>
> > +-------+               +------+                    +--------+
> > |w2k    |    internet   |FBSD  |  internal network  |internal|
> > |clients|---------------|FW w. |--------------------|hosts   |
> > |       |     IPSEC     |IPSEC |       no IPSEC     |        |
> > +-------+               +------+                    +--------+
>
> You need ESP/tunnel mode for presented configuration, but W2k seems not
> to support it - at least with IKE (I don't know how about
> static-configured keys). W2k <-> racoon can maintain ESP/transport mode
> only.
>
> The only solution I know is PPTP covered by IPSEC:
>
> +---------+                     +--------+ internal +--------+
> |w2k      |   internet          |FBSD Fw | network  |internal|
> |clients  |---------------------|IPSEC   |----------|hosts   |
> |Oakley   | PPTP within         |racoon  | plain IP |        |
> |PPTP VPN | IPSEC ESP/transport |MPD     |          |        |
> +---------+                     +--------+          +--------+
>
> Some notes for you:
> 1. install all avaiable patches to W2k (windowsupdate.microsoft.com)
> 2. M$ network client MUST be installed, althought may be disabled
> 3. W2k don't support aggresive mode negotiation
>
> When w2k has know static IP:
> 4. preshared key or x509 authentication possible
>
>
> When w2k has dynamic IP:
> 4.1 x509 authentication only
> 4.2 "generate_policy on" is mandatory in racoon.conf
>
> when x509 authentication used:
> 5. racoon doesn't support CRLs now, so individual revocation
>    of keys isn't possible - all keys signed by approved CA are
>    suitable for communication
> 6. cert of CA used to sign W2k side keys must be
>    put into racoon's "path certificate" directory with apropriate
>    name (<cert. hash>.0, see "x509 -hash -in CAcert.pem")
> 7. use latest racoon and FreeBSD 4.5-STABLE
>
> Example configuration when X509 authentication used:
> == ESP Transport, X509 authentication  ==================
> ============ FreeBSD with racoon, W2k with dynamic IP  ==
>
> ---- ipsec.conf (for setkey, FreeBSD side) --------
> flush;
> spdflush;
> ---- ipsec.conf (for setkey) - END ------------------
>
> ---- racoon.conf (for racoon, FreeBSD side) -------
> path include "/usr/local/etc/racoon" ;
> path certificate "/usr/local/etc/racoon" ;
> padding
> {
>         maximum_length 20;      # maximum padding length.
>         randomize off;          # enable randomize length.
>         strict_check off;       # enable strict check.
>         exclusive_tail off;     # extract last one octet.
> }
> timer
> {
>         counter 5;              # maximum trying count to send.
>         interval 20 sec;        # maximum interval to resend.
>         persend 1;              # the number of packets per a send.
>         phase1 30 sec;
>         phase2 15 sec;
> }
> remote anonymous
> {
>         exchange_mode main;
>         doi ipsec_doi;
>         my_identifier address;
>         certificate_type x509 "cert.pem" "key.pem";
>         generate_policy on;
>         nonce_size 16;
>         lifetime time 1 min;    # sec,min,hour
>         initial_contact on;
>         support_mip6 on;
>         proposal_check obey;    # obey, strict or claim
>
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm md5;
>                 authentication_method rsasig ;
>                 dh_group 2 ;
>         }
> }
>
> sainfo anonymous
> {
>         pfs_group 1;
>         lifetime time 30 sec;
>         encryption_algorithm 3des,des,cast128,blowfish ;
>         authentication_algorithm hmac_sha1, hmac_md5;
>         compression_algorithm deflate ;
> }
> ---- racoon.conf (for racoon) - END ------------------
>
> On W2k side:
> Run mmc.exe.
>
> Console->[Add/Remove Snap In]->Add
> Select [IP Security Policy Manager] (Local Computer) and [Certificates]
> (Local Computer, Computer Account).
>
> Add CA certs for both side keys to
> "Console Root\Certificates (Local Computer)\Trusted Root Certification
> Authorities\Certificates"
> (right mouse button, "All tasks->Import")
>
> W2k station key and cert (signed by CA) add to
> "Console Root\Certificates (Local Computer)\Personal\Certificates"
> You need the key and cert in PKCS12 format to do it.
> Verify that status is "OK"
>
> Now you should create policy, so:
> [IP Security Policy Manager], New (right button), tell a name,
> UNCHECK "Activate the default response rule", CHECK "Edit properties".
> Create new IP Security Rule (Add button).
> THIS RULE DOES NOT SPECIFY A TUNNEL
> [All Network Connections],
> Use a Certificate from this Certificate Authority
> Browse (select cert of CA used to sign oposite side cert).
> Go to IP FILTER LISTS, [Add], again [Add],
> Source Address is "My address"
> Destination is "specific DNS address" or "specific IP address",
> protocol = Any, [Finish], [Close].
> We are back in "IP filter lists". CHECK created filter then [Next],
> "Require security" (NOT Optional!), [Next], [Finish], [Close].
>
> We are back in MMC.
> Use right button on Policy and select "Assign".
>
> It should work now (you may want to run IPsecmon.exe monitor).
> Note, the session is opened "on demand" so you see no association
> unless you initiate a communication with FreeBSD side.
> Remember - YOU HAVE NO TUNNEL - but you can configure
> MPD on FreeBSD together with VPN on W2k to create the tunnel.
>
> %SystemRoot%\debug\oakley.log will be created if you set
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PolicyAgent\Oakley]
> "EnableLogging"=dword:00000001
> "Debug"=dword:000000ff
>
>
> The racoon and W2k IKE still not "plug&work" ready and it isn't
> reliable. It's necesarry to have some knowledge about IPSEC itself,
> ISAKMP protocol and X509 keys (if used). The lack of CRL support
> on racoon side limit the useability a lot in production environment
> also.
>
>
> Hope it helps.
>
>
>
> Dan
>
> --
> Dan Lukes,  SISAL, MFF UK  tel: +420 2 21914205, fax: +420 2 21914206
> AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz, dan@fio.cz
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • vpn1/fw1 NG to ipsec/racoon troubles, help please ...
    ... I have a freebsd related ipsec question. ... checkpoint box and tunnel into our network from home. ... VPN1 side is set up to reflect my freebsd configuration. ... racoon configuration parameters are set to 3des,md5,w/pfs ...
    (FreeBSD-Security)
  • Fun with IPSEC and racoon - 5.2.1
    ... I've been having some fun with IPSEC, owing to the need to put in a VPN ... sure I could do this end with one of out FreeBSD boxen. ... I set up IPSEC (with keying provided by Racoon) between my desktop ... 00200 deny ip from any to 127.0.0.0/8 ...
    (freebsd-questions)
  • roaming ipsec policies and racoon
    ... I am currently trying playing with IPSEC and racoon to provide a secure ... They all use either freebsd or windows 2k/XP clients. ...
    (FreeBSD-Security)
  • IPSEC with racoon on FreeBSD 5.2-CURRENT
    ... have set up IPSEC VPN tunnels between FreeBSD 5.1-RELEASE boxes ... using racoon - no problem. ... A few days ago I installed 2 new servers with FreeBSD 5.2-CURRENT ... used as isakmp port ...
    (freebsd-current)
  • [Linux 2.6] racoon questions
    ... kernel 2.5/2.6 implementation of IPSec ... Im not sure if i got the real purpose of racoon. ... I have here debian unstable with kernel 2.6.0-test8 and ipsec-tools 0.2.2 ... The university providides a CISCO VPN userspace programm to do that. ...
    (Debian-User)