netbsd-users: New VPN software in pkgsrc: ipsec-tools

Subject: New VPN software in pkgsrc: ipsec-tools
To: None <netbsd-users@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: netbsd-users
Date: 11/10/2004 09:08:57
Hi

I imported in pkgsrc ipsec-tools, the Linux port of racoon (the IKE
daemon for exchanging IPsec keys). This racoon have been enhanced to
support various new features:

- Nat-Traversal, to get ESP encapsulated into UDP and therefore have it
going through network address translator. This also require a kernel
patch than can be found here:
http://ftp.espci.fr/shadow/manu/nat-t.patch 
This patch has not been integrated yet, because it seems that NAT-T
could be MS-patented. This means that you cannot legally use it, except
if you get a license from MS, or if you live in a country where software
patents are not legal (European countries ar safe).

- IKE fragmentation: this workaround dumb DSL routers that cannot
accomodate fragmented IP packets.

- ISAKMP mode config: enable the VPN gateway to feed the client with
network information (internal address, DNS server...). 

- Hybrid authentication, which enable asymetrical auhentication: the VPN
gateway authenticate to the client using a certificate, the client
authenticate to the VPN gateway using a login and a password. This is
done in a secure (*) manner: i.e.: no need for an horrible group
password to secure phase 1. 

- RADIUS support: for authentication, accounting and IP address
allocation

With these enhancements, Ipsec-tools' racoon can be used as a VPN
gateway for the Cisco VPN client, which feature a GUI client for
Windows, Linux, Solaris and MacOS. The Cisco VPN client is not free, but
if you are already a Cisco customer, you may be able to get it for free.

I use ipsec-tools' racoon as a replacement for the horrible Cisco VPN
3000 access concentrator. That works in real life, with real users,
without any trouble.

Future work:

- Dead Peer Detection: to flush a SA sooner when the peer has gone away.
For now we wait for the SA to expire.

- Hybrid authentication and ISAKMP mode config client capability, to use
racoon as the road warrior client. The code is already there, but I hit
some problems configuring the SPD and the routing table correctly on
NetBSD.

(*) Of course using certificate for both peers is more secure, but for
road-warrior remote access, this might not be an option, depending of
your users. Hybrid auth give you the same level of security than
passwords through SSH.
 
-- 
Emmanuel Dreyfus
Il y a 10 sortes de personnes dans le monde: ceux qui comprennent 
le binaire et ceux qui ne le comprennent pas.
manu@netbsd.org