Racoon ipsec configuration with GSSAPI/kerberos

Anandan anandhm_psg at yahoo.com
Mon May 25 22:59:23 EDT 2009 



T. M. Pederson-5 wrote:
> 
> In article <mailman.70.1242326363.9729.kerberos at mit.edu>,
> 	Anandan <anandhm_psg at yahoo.com> writes:
>> 
>> Hi,
>> I have been trying to configure ipsec between two machines with
>> kerberos..I
>> have one Windows 2003 server which has active directory configured...
>> these
>> two linux machines are connected to that Windows machine... 
>> I am not able to get any proper documentation on how to use kerberos with
>> racoon..
>> Any help would be appreciated..
> 
> Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've
> been working with some Racoon/Heimdal installations on *BSD and the
> occasional Linux box, where the configuration (racoon.conf) has generally
> had the phase 1 section as:
> --------
> # No address lookup by name in this implementation, so this file needs
> # a remote inherit section for EACH OTHER ADDRESS a host has.
> 
> remote <host_address> {
>         exchange_mode main;
> 
>         lifetime time 24 hour;
> 
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method gssapi_krb;
>                 # For compatibility, use the GSS-API ID "host/fqdn",
>                 # where fqdn is the output of the hostname(1)
>                 # command. You probably want this to match your system's
>                 # host principal.  ktutil(8)'s "list" command will list
>                 # the principals in your system's keytab.  If you need
>                 # to, you can change the GSS-API ID here.
>                 # Older implementations used "ike/fqdn"
>                 gss_id "host/fqdn";
> 
>                 dh_group 1;
>         }
> 
>         # Used by client hosts (initiators). Should be off for servers.
>         generate_policy on;
> }
> 
> --------
> 
> Note that you could instead use the usual "anonymous" instead of an
> address if you're going with the same phase 1 between all machines.
> 
> Also, depending on implementation, encyrption_algorithm may be 3des
> or aes (I've been working with both).
> 
> The rest of the Racoon configuration (phase 2, etc.) is independent
> of Kerberos and is covered by the standard documentation.
> 
> Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon
> needs to adjust for an API change to work with the new Heimdal. Still
> tracking down what's going on with that combo. Otherwise, Racoon
> w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience
> with Racoon interacting with MIT or MS Kerberos implementations.
> -- 
> T. M. Pederson <tmp+rnpc at disfinite.org>
> GPG key fingerprint = FFAF D056 F12B E03F 7084  1288 EF8B E1FE 1693 21EB
> +Accept: text/plain; charset=ISO-8859-*,UTF-*
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 


Thanks for the information. I think this case will work between two linux
machines.
Is it possible to configure racoon with kerberos between a linux machine and
a windows machine??

Thanks,
Anandan
-- 
View this message in context: http://www.nabble.com/Racoon-ipsec-configuration-with-GSSAPI-kerberos-tp23538533p23716179.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list