linux to windows ipsec
Results 1 to 7 of 7

Thread: linux to windows ipsec

  1. #1
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027

    linux to windows ipsec

    Do any of you have experience setting up linux to windows ipsec connections?

    More specifically configuring a windows 2k3 box to talk to a red hat racoon ike daemon?
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  2. #2
    Junior Member
    Join Date
    Aug 2004
    Posts
    16
    Are you talking client-server communications or client-client communications??
    \"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    I don't believe client vs server matters one bit when you are enabling ipsec communications. It matters more whether it's host to host, host to gateway, or gateway to gateway. I'm simply doing host to host communications.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Depends what you are trying to do. Windows comes with L2TP/IPSEC, so if you want to use L2TP its fairly straight forward from the client after you create your X.509 cert and your server supports L2TP, but if you want to ditch L2TP then you need to use an IPSEC client on the Windows machine that doesnt use L2TP (http://vpn.ebootis.de/) there are also L2TP clients (and server) for linux if you are connecting a linux client to a Windows server (http://sourceforge.net/projects/l2tpd)


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Here is where our communications are getting screwed. You are talking about host (client) to gateway (server) vpn. You do not however have to use a client server model using ipsec.

    I'm simply working on a server isolation scheme of sorts. This is more of a host to host setup with ipsec handling secure communications and doing packet filtering.

    I've been having issues getting the two ike daemons to do a proper handshake and get past phase 1, I really just need to take more time and finish reading the manual to configure and troubleshoot things properly.

    I'll write it up when I'm done and post it.

    l2tp? I don't need no stinking l2tp...
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  6. #6
    Junior Member
    Join Date
    Aug 2004
    Posts
    16
    client-client, i meant host to host, sorry for the confusion. I knew you weren't doing host to gateway because of the two OSs..but wasn't sure if it was client/server vpn via ipsec

    I would like to see what you find out...
    \"Poor planning on your part does not necessitate an emergency on my part.\" -Unknown

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I am a bit late, but I need to test what I write. And time is precious
    In general, I can recommend two readers: on securityfocus about the
    windows part[1], Spenneberg about the linux part[2].

    Let us not make this more complicated than it needs to be. Two hosts,
    isolating setup. We use transport mode with preshared keys as a beginning.


    Linux-part (192.168.1.13)


    The policy (SPD) is manipulated with setkey. Let's create
    in /etc/racoon/setkey.conf
    Code:
    #!/usr/sbin/setkey -f
    
    flush;
    spdflush;
    
    spdadd 192.168.1.13 192.168.1.16 any -P out ipsec
            esp/transport//require
            ah/transport//require; 
    
    spdadd 192.168.1.16 192.168.1.13 any -P in ipsec
            esp/transport//require
            ah/transport//require;
    I want to enable a communication .1.13 <-> .1.16, transport,
    both encryption and authentication (no replay). Start with
    setkey -f /etc/racoon/setkey.conf and check with setkey -DP

    Next step: racoon.

    We need to specify the kind of encryption. I use pre_shared_key,
    3des and md5 - for simplicity.
    racoon.conf in /etc/racoon/racoon.conf

    Code:
    path pre_shared_key "/etc/racoon/psk.txt";
    #path certificate "/etc/racoon/certs";
    
    remote 192.168.1.16 {
            exchange_mode main;
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group modp1024;
            }
    }
    However, for phase 2, we need the SA information. Let us not be
    specific and use, also for simplicity DH group 2
    Code:
    sainfo anonymous
    {
    pfs_group 2;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    }
    Create a file /etc/racoon/psk.txt
    Code:
    192.168.1.16    PresharedKey

    Start racoon with racoon -F -f /etc/racoon/racoon.conf,
    use -d for debugging.


    Windows-part (192.168.1.16)


    MMC->SnapIn->[3]

    Create a new policy (no tunnel!), make sure to use the correct
    encryptions MD5 and 3DES, and take the correct group: DH2 (Tab: General).
    Make a new rule (for simplicity: all traffic, all protocols, ...) between
    .1.13 and .1.16. (mirrored).

    There is one important point: The Filter Action should have
    Session key perfect forward secrecy enabled, otherwise
    there is a problem getting phase 2! I would not accept or allow anything
    related to unsecured communication.

    Authentication: PreSharedKey. Type the same "passphrase" as in
    /etc/racoon/psk.txt

    Assign. Done.



    Now, this is the first step to enable a IPSec transport, which
    is fine for your purpose, I think. Check the traffic with a sniffer
    and eventually, turn of the PreSharedKey-mode and use a certificate.


    Cheers



    [1] http://online.securityfocus.com/infocus/1519
    http://online.securityfocus.com/infocus/1526
    http://online.securityfocus.com/infocus/1528
    [2] http://www.ipsec-howto.org/ipsec-howto.pdf
    [3] http://www.antionline.com/showthread...hreadid=262801
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •