Road warriors (multiuser configurations) are roaming user clients with dynamically assigned IP addresses unknown to the home IPSec gateway or VPN concentrator. Hence the configuration has to rely on other means of authentication such as deployment of signatures or certificates. This requires a PKI.
Deployment of preshared secrets does not scale and often compromises entire architectures that rely on only one key. Because of an architectural change in the Cisco IPSec client for group authentication, interoperability with UNIX IPSec implementations has severely suffered (although arguably added benefit to Cisco-to-Cisco connections).
OpenBSD, FreeBSD, and Linux IPSec clients offer excellent granularity to adjust to interoperability requirements. As a rule of thumb, the same IPSec implementation on the client and the gateway saves lots of headaches and debugging effort. For sample road-warrior setups, see http://www.ipsec-howto.org, http://www.linuxsecurity.com/resource_files/cryptography/ipsec-howto/HOWTO.html, and http://www.allard.nu/openbsd/index.html. This last website covers certificate handling in depth.
Example 11-19 provides a certificate-based racoon example for road-warrior access.
Example 11-19. FreeBSD Gateway racoon Configuration for Road-Warrior Access
### Road Warrior to Gateway ####
path include "/usr/local/etc/racoon" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/cert" ;
# "log" specifies logging level. It is followed by either "notify," "debug,"
# or "debug2."
#log debug;
remote anonymous {
exchange_mode main;
generate_policy on;
passive on;
certificate_type x509 "my_certificate.pem" "my_private_key.pem";
my_identifier cisco;
peers_identifier cisco;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment