OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James F. Hranicky (jfhcise.ufl.edu)
Date: Thu Feb 07 2002 - 19:30:24 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "James F. Hranicky" <jfhcise.ufl.EDU> wrote in message
    news:list.freebsd.security#20020207163347.51C606B29mail.cise.ufl.edu...

    > I dont understand what you mean here, ipsec doesnt require something special
    > from routing.

    Hmmm...well, what I'd like is to be able to query the router for the
    nets that are behind it, and automagically add those to the IPSEC
    config.
     
    > There are some new RFC's about natting ipsec tunnel packets.
    > You can only nat tunnel packets because the outer headers are not
    > authenticated.

    I mean NATting them after decryption, so they can find their way back
    to an arbitrary IPSEC router within the internal net and not go back
    out the border router due to the outside source address. I sent a
    post detailing this a couple of weeks ago. ("IPSEC into network behind
    the primary router", 1/17/02)

    > > o Is this really the case, or am I just wrong here? > Every ipsec
    endpoint needs own private key + certificate + CA certificate, > thats
    all.

    Great! What a relief. I guess I've had a hard time understanding racoon.conf .

    > The intention with ipsec is that you dont need all public certs from all
    > your peers.
    > You only need (all) Ca certs
    > If you start a session , the remote party (racoon) sends its cert.
    > Your local racoon looks if it has a CA cert which has signed your peers
    > cert.
    > It the verifies the peer cert.
    > This is also the only way for mobile users.

    Ok, great.

    > You should really first do some tests with ipsec.
    > I used 2 freebsd machines (inside vmware).
    > There are numerous examples on the net which clarifies your questions.
    > I works with win2000 ,
    > with pre-shared authentication keys , associated with ip addresses.
    > with cert authentication , associated with x509 names/email addresses.

    Awesome. I've been searching the 'net for quite a while, but the docs
    I've found seemed on the terse side. I'll give it a go and see what
    happens. I have been able to get simple transport mode + shared secrets
    working, so now I'll try out the certs.

    Thanks a ton!

    ----------------------------------------------------------------------
    | Jim Hranicky, Senior SysAdmin UF/CISE Department |
    | E314D CSE Building Phone (352) 392-1499 |
    | jfhcise.ufl.edu http://www.cise.ufl.edu/~jfh |
    ----------------------------------------------------------------------

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message