Home » Mailing list archives » freebsd-security » 2007 » November » 15

IPSEC help

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: john decot <johndecot@...>
To: <freebsd-security@...>
Subject: IPSEC help
Date: Thursday, November 15, 2007 - 7:14 am

Hi,


        I am new to ipsec and trying to connect my bsd server with win 2000. I have succeeded to tunnel using pre-shared key. But regarding certificate , I failed to get success.


      The following are configuration :


racoon.conf


path certificate "/usr/local/openssl/certs" ;


# "log" specifies logging level.  It is followed by either "notify",

 "debug"

# or "debug2".

log debug;


remote anonymous

{

    exchange_mode main,aggressive,base;

    #exchange_mode main,base;

        my_identifier asn1dn;

    peers_identifier asn1dn;


    certificate_type x509 "bsd.public" "bsd.priv" ;


    lifetime time 24 hour ;    # sec,min,hour


    #initial_contact off ;

    #passive on ;


    # phase 1 proposal (for ISAKMP SA)

    proposal {

        encryption_algorithm 3des;

        hash_algorithm sha1;

        authentication_method rsasig ;

        dh_group 2 ;

    }


    # the configuration makes racoon (as a responder) to obey the

    # initiator's lifetime and PFS group proposal.

    # this makes testing so much easier.

    proposal_check obey;

}


# phase 2 proposal (for IPsec SA).

# actual phase 2 proposal will obey the following items:

# - kernel IPsec policy configuration (like "esp/transport//use)

# - permutation of the crypto/hash/compression algorithms presented

 below

sainfo anonymous

{

#    pfs_group 2;

    lifetime time 12 hour ;

    encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;

    authentication_algorithm hmac_sha1, hmac_md5 ;

    compression_algorithm deflate ;

}


--------------------------END------------------------------------------------------------------

certificate are created in bsd with following commands:


openssl req -new -nodes -newkey rsa:1024 -sha1  -days 1095 -keyout bsd.private -out request.pem

openssl x509 -req -in request.pem -days 1095 -signkey bsd.private -out bsd.public


openssl pkcs12 -export -inkey bsd.private -in bsd.public -out win.p12 -name "win cert"


ln -s bsd.public `openssl x509 -noout -hash -in bsd.public`.0


     I have used win.p12 in windows 2000 prof. box for this process.


   Please anyone help me out to configure it.


Thankyou,


Regards,

John


---------------------------------

Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

_______________________________________________

freebsd-security@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-security

To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Re: GSSAPI Key Exchange in sshd?, Stefan Lambrev, (Thu Sep 20, 4:21 am)
Changing root password, Dave Johnson, (Tue Aug 11, 11:38 am)
OPIE Challenge sequence, Ivan Grover, (Tue Jul 8, 6:16 am)
CVE-2008-4609, Andrew Storms, (Tue Sep 8, 2:56 pm)
Re: ports/128698: [vuxml] new entry for Dovecot 1.1.4-1.1.5, , (Sat Nov 8, 11:27 am)
IPSEC help , john decot, (Thu Nov 15, 7:14 am)
Re: CVE-2008-4609, Dag-Erling Smørgrav, (Tue Sep 8, 5:37 pm)
RE: Changing root password, Jérôme Le Gal, (Tue Aug 11, 12:49 pm)
RE: Changing root password, Jérôme Le Gal, (Tue Aug 11, 12:38 pm)
Re: OPIE Challenge sequence, Peter Jeremy, (Tue Jul 8, 7:30 am)
Re: OPIE Challenge sequence, Dag-Erling Smørgrav, (Tue Jul 8, 7:22 am)
Re: IPSEC help, Bjoern Engels, (Thu Nov 15, 9:04 am)