> What about info in regards to running a FreeBSD IPSEC server (racoon)
> with DHCP clients (road warriors)? I haven't seen anything about that...is it
> possible? If so...any links to info? Thanks in advance.
racoon can exchange SAs in such a scenario by using "generate_policy"
directive. but there is no documentation. the only one is probably
racoon.conf(5). you know there are some scenario about "road warriors".
also, IKE and IPsec have many tweaks. so there are some solutions to
solve scenarios. here is one of them.
i'm using a laptop PC and the ip address is assigned dynamically.
i access to the mail server from my laptop. i only use the ipsec
transport mode. i use certificates because this is the way to solve
the scenario with IKE main mode. i attach my configuration to this mail.
1. racoon.conf in the laptop.
2. policy parameter in the laptop.
3. racoon.conf in the server.
no need server's policy configuration.
it hope it help you.
regards,
# $KAME: racoon.conf.sample,v 1.21 2000/12/17 21:17:53 sakane Exp $
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/certs" ;
remote anonymous
{
exchange_mode main,aggressive,base;
my_identifier user_fqdn "[EMAIL PROTECTED]";
peers_identifier fqdn "mine.kame.net";
certificate_type x509
"/usr/home/sakane/etc/certs/sigby-ssh.cert"
"/usr/home/sakane/etc/certs/privkey" ;
lifetime time 60 min ;
proposal_check obey;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 30 min ;
encryption_algorithm aes, 3des, cast128, blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
spdflush;
spdadd ::/0[53] ::/0 any -P in none;
spdadd ::/0 ::/0[53] any -P out none;
spdadd ::/0 ::/0 any -P out ipsec esp/transport//use;
spdadd ::/0 ::/0 any -P in ipsec esp/transport//use;
spdadd 0.0.0.0/0[53] 0.0.0.0/0 any -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[53] any -P out none;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/transport//use;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/transport//use;
# $KAME: racoon.conf.sample,v 1.21 2000/12/17 21:17:53 sakane Exp $
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/certs" ;
remote anonymous
{
exchange_mode main,aggressive,base;
my_identifier fqdn "mine.kame.net";
peers_identifier user_fqdn "[EMAIL PROTECTED]";
certificate_type x509 "cert-signed-by-ssh.pem" "privkey.pem" ;
lifetime time 15 min ; # sec,min,hour
proposal_check obey;
generate_policy on;
passive on;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 5 min ;
encryption_algorithm aes, 3des, cast128, blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
