Racoon ipsec configuration with GSSAPI/kerberos

T. M. Pederson tmp+rnpc at echo.disfinite.org
Mon May 18 11:40:16 EDT 2009

In article <mailman.70.1242326363.9729.kerberos at mit.edu>,
	Anandan <anandhm_psg at yahoo.com> writes:
> Hi,
> I have been trying to configure ipsec between two machines with kerberos..I
> have one Windows 2003 server which has active directory configured... these
> two linux machines are connected to that Windows machine... 
> I am not able to get any proper documentation on how to use kerberos with
> racoon..
> Any help would be appreciated..

Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've
been working with some Racoon/Heimdal installations on *BSD and the
occasional Linux box, where the configuration (racoon.conf) has generally
had the phase 1 section as:
# No address lookup by name in this implementation, so this file needs
# a remote inherit section for EACH OTHER ADDRESS a host has.

remote <host_address> {
        exchange_mode main;

        lifetime time 24 hour;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method gssapi_krb;
                # For compatibility, use the GSS-API ID "host/fqdn",
                # where fqdn is the output of the hostname(1)
                # command. You probably want this to match your system's
                # host principal.  ktutil(8)'s "list" command will list
                # the principals in your system's keytab.  If you need
                # to, you can change the GSS-API ID here.
                # Older implementations used "ike/fqdn"
                gss_id "host/fqdn";

                dh_group 1;

        # Used by client hosts (initiators). Should be off for servers.
        generate_policy on;


Note that you could instead use the usual "anonymous" instead of an
address if you're going with the same phase 1 between all machines.

Also, depending on implementation, encyrption_algorithm may be 3des
or aes (I've been working with both).

The rest of the Racoon configuration (phase 2, etc.) is independent
of Kerberos and is covered by the standard documentation.

Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon
needs to adjust for an API change to work with the new Heimdal. Still
tracking down what's going on with that combo. Otherwise, Racoon
w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience
with Racoon interacting with MIT or MS Kerberos implementations.
T. M. Pederson <tmp+rnpc at disfinite.org>
GPG key fingerprint = FFAF D056 F12B E03F 7084  1288 EF8B E1FE 1693 21EB
+Accept: text/plain; charset=ISO-8859-*,UTF-*

More information about the Kerberos mailing list