Scenario: FreeBSD box running IPFW acting as a gateway to private network. The private network is made up of entirely routeable IP addresses. External users running Win2k and XP on DSL connections with dynamic IPs. Goal: To have the FreeBSD gateway securely authenticate and encrypt the traffic between the outside users and the internal network. I've spent the last 3 days running up and down Google and reading any books that approach the subject of setting up a VPN. The further down this road I've travelled the more confused I am. I assume the following: * Need to have a certificate setup with OpenSSL. * Racoon needs to deal with a key exchange. * Some kind of tunneling gets put into play. * Setkey needs appropriate policies. I happened across the Google cache of a tutorial that seems to cover this subject. There seems to be a couple of key points missing, as well as some apparently out of date syntax. I did manage to create a CA and client cert from a mix of this tutorial and the AbsoluteBSD book. http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 Managed to get a certificate generated from that process installed on a test XP box per the following... http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 Where I totally lost it was on the FreeBSD setup. The author is referring to certificates that he never described how they should be created. I didn't know what in the heck to do here. http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 Am I even on the right path? Aside from this one tutorial I've been through several others, as well as looking at a variety of IPSec related pages. There's obviously a number of different approaches out there to take, but I'm simply looking for one that works. Just to know that I'm heading in the correct direction or not would be an incredible help. Thanks, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx
I've been using PPTP for this purpose. Microsoft's PPTP implementation is pretty brain dead, but if you're willing to bend the configuration of your network a little to accommodate it and configure your clients carefully, you can set up a VPN that's accessible from most versions of Windows. Not super-secure, but secure enough for most purposes. I have been interested in trying L2TP, but am not sure about the stability of the server software for FreeBSD. And I can't find a FreeBSD client. (There's an L2TP netgraph node, but there are no docs on how to use it with mpd and likewise nothing on how to use it with userland PPP.) --Brett At 08:21 PM 5/7/2003, Michael Collette wrote:>Scenario: >FreeBSD box running IPFW acting as a gateway to private network. The private >network is made up of entirely routeable IP addresses. External users >running Win2k and XP on DSL connections with dynamic IPs. > >Goal: >To have the FreeBSD gateway securely authenticate and encrypt the traffic >between the outside users and the internal network. > > >I've spent the last 3 days running up and down Google and reading any books >that approach the subject of setting up a VPN. The further down this road >I've travelled the more confused I am. > >I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > >I happened across the Google cache of a tutorial that seems to cover this >subject. There seems to be a couple of key points missing, as well as some >apparently out of date syntax. I did manage to create a CA and client cert >from a mix of this tutorial and the AbsoluteBSD book. > >http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > >Managed to get a certificate generated from that process installed on a test >XP box per the following... > >http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > >Where I totally lost it was on the FreeBSD setup. The author is referring to >certificates that he never described how they should be created. I didn't >know what in the heck to do here. > >http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > >Am I even on the right path? Aside from this one tutorial I've been through >several others, as well as looking at a variety of IPSec related pages. >There's obviously a number of different approaches out there to take, but I'm >simply looking for one that works. Just to know that I'm heading in the >correct direction or not would be an incredible help. > >Thanks, >-- >"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark >to read." > - Groucho Marx >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Michael Collette wrote:> > Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The private > network is made up of entirely routeable IP addresses. External users > running Win2k and XP on DSL connections with dynamic IPs. > > Goal: > To have the FreeBSD gateway securely authenticate and encrypt the traffic > between the outside users and the internal network. > > I've spent the last 3 days running up and down Google and reading any books > that approach the subject of setting up a VPN. The further down this road > I've travelled the more confused I am. > > I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > > I happened across the Google cache of a tutorial that seems to cover this > subject. There seems to be a couple of key points missing, as well as some > apparently out of date syntax. I did manage to create a CA and client cert > from a mix of this tutorial and the AbsoluteBSD book. > > http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > > Managed to get a certificate generated from that process installed on a test > XP box per the following... > > http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > > Where I totally lost it was on the FreeBSD setup. The author is referring to > certificates that he never described how they should be created. I didn't > know what in the heck to do here. > > http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > > Am I even on the right path? Aside from this one tutorial I've been through > several others, as well as looking at a variety of IPSec related pages. > There's obviously a number of different approaches out there to take, but I'm > simply looking for one that works. Just to know that I'm heading in the > correct direction or not would be an incredible help. >Handy links, thanks. <warning>Haven't done certs+ipsec, yet... only pre-shared secrets</warning> It looks like you are on the right path. The first link walks one thru creating the needed certs; CA aka Certificate Authority(_the_ source for all certs), cert for the gateway(vpn server) and cert for the user. Second link walks one thru importing two Certs into the windows box; CA and user cert. Third link where you get lost talks about where to put the gateway & CA cert. The gateway certificate is the one you created under section 2.4 on the first link. Look at the last two openssl lines in section 2.4 on that first link. It is creating a certificate for the vpn server(server-signed.pem) signed by the CA you created and the last line outputs a decrypted private key(server-key.pem) for racoon to use with the signed certificate. Hope that helps, greg
On Wed, May 07, 2003 at 07:21:33PM -0700, Michael Collette wrote:> Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The private > network is made up of entirely routeable IP addresses. External users > running Win2k and XP on DSL connections with dynamic IPs.[...]> Where I totally lost it was on the FreeBSD setup. The author is referring to > certificates that he never described how they should be created. I didn't > know what in the heck to do here.[...] It's hard to tell from your message where you are getting lost, but I'll give it a shot. Assuming you have all your certificates (let's call them client.crt/client.key, server.crt/server.key, and ca-local.crt): (1) Add a `path certificate' directive to racoon.conf, e.g. path certificate "/usr/local/etc/racoon/cert" ; (2) Create that directory (3) Store your CA's certficate in that directory in PEM format, e.g. /usr/local/etc/racoon/cert/ca-local.pem. (4) Create a symlink in that directory based on the CA cert's hash, e.g. cd /usr/local/etc/racoon/cert ln -s ca-local.pem `openssl x509 -noout -hash -in ca-local.pem`.0 Heh, I found some pages that might be useful to you while I was Google'ing to double-check my openssl syntax: <URL: http://www.kame.net/newsletter/20001119b/ > <URL: http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html?page=2 > Hope this helps, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se
On Thu May 08, 2003 at 03:07:43PM -0400, Patrick Muldoon wrote:> On Thursday 08 May 2003 02:59 pm, The Anarcat wrote: > > On Thu May 08, 2003 at 12:49:59PM -0600, Brett Glass wrote: > > > At 08:51 AM 5/8/2003, The Anarcat wrote: > > > >I found that the mpd client is pretty easy to setup and really > > > >powerful. > > > > > > You've found a way to do L2TP with mpd? Please post information. > > > > No. I've used mpd to setup a PPTP. Sorry for the confusion. > > IF you don't mind me asking, what is it connecting to? I have been having a > heck of a time connecting to a PIX on the far end.Hehehe.. I got it to connect to.. mpd! :) dynamic ip + nat on one end, static + nat on the other. I tried to make it work with MacOS X, but somehow, OSX doesn't respond to LQR pings or there's some routing problems in there, I don't know. Haven't tried with Windows VPN either yet. A.