|

»

Kerberos - General

Racoon ipsec configuration with GSSAPI/kerberos

View: New views

4 Messages — Rating Filter: Alert me

	Racoon ipsec configuration with GSSAPI/kerberos by Anandan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I have been trying to configure ipsec between two machines with kerberos..I have one Windows 2003 server which has active directory configured... these two linux machines are connected to that Windows machine... I am not able to get any proper documentation on how to use kerberos with racoon.. Any help would be appreciated.. Thanks & Regards Anandan
	Re: Racoon ipsec configuration with GSSAPI/kerberos by T. M. Pederson-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In article <mailman.70.1242326363.9729.kerberos@...>, Anandan <anandhm_psg@...> writes: > > Hi, > I have been trying to configure ipsec between two machines with kerberos..I > have one Windows 2003 server which has active directory configured... these > two linux machines are connected to that Windows machine... > I am not able to get any proper documentation on how to use kerberos with > racoon.. > Any help would be appreciated.. Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've been working with some Racoon/Heimdal installations on BSD and the occasional Linux box, where the configuration (racoon.conf) has generally had the phase 1 section as: -------- # No address lookup by name in this implementation, so this file needs # a remote inherit section for EACH OTHER ADDRESS a host has. remote <host_address> { exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method gssapi_krb; # For compatibility, use the GSS-API ID "host/fqdn", # where fqdn is the output of the hostname(1) # command. You probably want this to match your system's # host principal. ktutil(8)'s "list" command will list # the principals in your system's keytab. If you need # to, you can change the GSS-API ID here. # Older implementations used "ike/fqdn" gss_id "host/fqdn"; dh_group 1; } # Used by client hosts (initiators). Should be off for servers. generate_policy on; } -------- Note that you could instead use the usual "anonymous" instead of an address if you're going with the same phase 1 between all machines. Also, depending on implementation, encyrption_algorithm may be 3des or aes (I've been working with both). The rest of the Racoon configuration (phase 2, etc.) is independent of Kerberos and is covered by the standard documentation. Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon needs to adjust for an API change to work with the new Heimdal. Still tracking down what's going on with that combo. Otherwise, Racoon w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience with Racoon interacting with MIT or MS Kerberos implementations. -- T. M. Pederson <tmp+rnpc@...> GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB +Accept: text/plain; charset=ISO-8859-,UTF-* ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos
	Re: Racoon ipsec configuration with GSSAPI/kerberos by Anandan :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message T. M. Pederson-5 wrote: In article <mailman.70.1242326363.9729.kerberos@mit.edu>, Anandan <anandhm_psg@yahoo.com> writes: > > Hi, > I have been trying to configure ipsec between two machines with kerberos..I > have one Windows 2003 server which has active directory configured... these > two linux machines are connected to that Windows machine... > I am not able to get any proper documentation on how to use kerberos with > racoon.. > Any help would be appreciated.. Racoon works with Kerberos through GSSAPI, and only for Phase 1. I've been working with some Racoon/Heimdal installations on BSD and the occasional Linux box, where the configuration (racoon.conf) has generally had the phase 1 section as: -------- # No address lookup by name in this implementation, so this file needs # a remote inherit section for EACH OTHER ADDRESS a host has. remote <host_address> { exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method gssapi_krb; # For compatibility, use the GSS-API ID "host/fqdn", # where fqdn is the output of the hostname(1) # command. You probably want this to match your system's # host principal. ktutil(8)'s "list" command will list # the principals in your system's keytab. If you need # to, you can change the GSS-API ID here. # Older implementations used "ike/fqdn" gss_id "host/fqdn"; dh_group 1; } # Used by client hosts (initiators). Should be off for servers. generate_policy on; } -------- Note that you could instead use the usual "anonymous" instead of an address if you're going with the same phase 1 between all machines. Also, depending on implementation, encyrption_algorithm may be 3des or aes (I've been working with both). The rest of the Racoon configuration (phase 2, etc.) is independent of Kerberos and is covered by the standard documentation. Just had a jump from Heimdal 0.x to 1.1 and it looks like racoon needs to adjust for an API change to work with the new Heimdal. Still tracking down what's going on with that combo. Otherwise, Racoon w/Heimdal 0.6 and 0.7 has been working just fine. I have no experience with Racoon interacting with MIT or MS Kerberos implementations. -- T. M. Pederson <tmp+rnpc@disfinite.org> GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB +Accept: text/plain; charset=ISO-8859-,UTF-* ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Thanks for the information. I think this case will work between two linux machines. Is it possible to configure racoon with kerberos between a linux machine and a windows machine?? Thanks, Anandan
	Re: Racoon ipsec configuration with GSSAPI/kerberos by T. M. Pederson-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In article <mailman.125.1243323208.9729.kerberos@...>, Anandan <anandhm_psg@...> writes: [...] > Thanks for the information. I think this case will work between two linux > machines. > Is it possible to configure racoon with kerberos between a linux machine and > a windows machine?? According to the documentation it's certainly possible. I don't have access to any MS-Windows machines to offer much of any tips. I will note, however, that while Racoon is capable of two gssapi id encodings, MS-Windows can only handle one. Racoon is supposed to default to using the same one that MS-Windows does, but if for some reason it doesn't, explicitly set it in the general section of your racoon.conf: gss_id_enc utf-16le; -- T. M. Pederson <tmp+rnpc@...> GPG key fingerprint = FFAF D056 F12B E03F 7084 1288 EF8B E1FE 1693 21EB +Accept: text/plain; charset=ISO-8859-,UTF- ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos