[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sheflug] IPsec -Linux

To: "'shef-lug [at] xxxxxxxxxxxxxxxxxxx'" <shef-lug [at] xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Sheflug] IPsec -Linux
From: Richard Stevenson <richard [at] xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Apr 2004 23:36:31 +1200
Comments: PGP Public Key on keyservers: Key ID FA6D9719
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

On Wed, 28 Apr 2004, Dawson, Alan wrote:

> > -----Original Message-----
> > From: Richard Stevenson [mailto:richard [at] alternativeuniverse.net]
>
> > and I've also got an IPSEC VPN
> > tunnel running
> > between a FreeBSD server and a Cisco PIX to connect our two
> > offices.  In
> > both cases, I have Racoon providing IKE services with a
> > shared secret for
> > authentication (you can use X.509 certificates as well, but that gets
> > messy and expensive if you're using a Pix on the other end).
> >
> > It took some reading and experimentation to get my head
> > around it all, but
> > it does work.  How can I help?
>
>
> Well I wanted to connect to 2 lans together and a Cisco PIX was involved
> somewhere also, but I was planning on using Debian Sarge.  Any good links
> and reading material would be great.

I'll have a look when I get into the office, where I've got all of my
bookmarks stored.  The main thing you need to find out is whether or not
the PIX has the (optional, but allegedly free)  3DES/AES license installed
- if it doesn't, you're stuck with DES for encryption, and you might as
well not bother.  The DES expert in my office (he's implemented it in
firmware) tells me it takes about ten minutes to crack a single-des
encryption key, and you don't even need much data to do it.

If you haven't got them already, install the ipsec-tools (from
ipsec-tools.sourceforge.net IIRC); you'll need them.  If you installed
them more than a couple of weeks ago, get a new copy.  There's a very
recent security fix for racoon in there.

Once you've figured out how it works, it becomes more or less
put-in-the-values-and-it-just-goes.  Racoon has a million configuration
options, most of which you simply don't need to specify - they've all got
very well-thought-out defaults which will Just Work in most cases.

> Also, NAT.. is it possible to use IPSEC (or some variant with NAT ) or is
> that impossible

That is indeed possible.  If your IPSEC system isn't also providing the
NAT services (i.e. it's behind a DSL router or similar), then you'll need
to put a pinhole for UDP port 4500 through to it in addition to the
pinholes for ESP and possibly AH.  You won't be able to use AH (the NAT
screws that up), but you can still do ESP.  This is similar to the setup
I've got at work, where we sit behind a DSL router that provides NAT.
NAT-traversal is a standard feature of racoon these days, according to the
documentation, and the Cisco can cope with it as well.  The NAT-traversal
mechanism has been in the standards process for a few years now.

I'll dig up some more information for you in the morning.

Cheers

Richard

-- 
Richard Stevenson : Geek

  If you can hear your neighbours firing small arms, they are using
  subsonic ammunition.
   -- Andrew Dalgliesh, in the Monastery
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- RE: [Sheflug] IPsec -Linux
  - From: Dawson, Alan

Prev by Date: Re: [Sheflug] HP 620LX pocket PC
Next by Date: [Sheflug] Employment, OK slightly OT but it may be Linux related depending...
Previous by thread: RE: [Sheflug] IPsec -Linux
Next by thread: RE: [Sheflug] IPsec -Linux
Index(es):
- Date
- Thread