Differences between version 9 and predecessor to the previous major change of IPSecConfiguration.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 9 | Last edited on Monday, November 17, 2003 10:35:38 pm | by MichaelBordignon | Revert |
| Older page: | version 4 | Last edited on Thursday, April 24, 2003 4:10:17 am | by JeeKay | Revert |
@@ -12,7 +12,18 @@
FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a ManInTheMiddle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.
__Note:__ While almost all IPSec implementations known to man support PSK, very few support RSA. The rest (pay attention anyone who needs to communicate with a Windows host) use X.509 certificates for authentication. FreeS/WAN does support this but requires a patch to the code and various other bits that I'm not quite sure how work. Watch this space!
+
+__NextNote:__ If you are wanting to interoperate with Windows 2000/XP, make sure that
+
+* a) The .p12 certificate which you export is added to the __local machine__ and not the __current user__. This is the first mistake I made. Otherwise, you'll get something like
+ auth.log.0:Nov 13 15:26:08 peer pluto[21342]: "remote-win2k-2"[2] 166.179.32.102 #2: encrypted
+ Informational Exchange message is invalid because it is for incomplete ISAKMP SA
+
+* b) If there are any stateful firewalls in between the road warrior and the internal machine, make sure you allow ESP (protocol 50), with something like
+ iptables -A INPUT -p esp -j ACCEPT
+
+__YetAnotherNote:__ Instructions on exporting x509 certs for use on 2k/xp can be found at http://www.natecarlson.com/linux/ipsec-x509.php, with a wealth of information at http://www.jacco2.dds.nl/networking/freeswan-l2tp.html. You'll also want a free utility found at http://vpn.ebootis.de to make the necessary IPSec policy changes to win2k/xp when you want to connect.
For an example PSK setup, head over to [IPSecConfigurationPSK]. %%%
For an example RSA setup, head over to [IPSecConfigurationRSA].
