Subject: racoon, gss-api auth, and win2k IPSec IKE ...
To: None <tech-net@netbsd.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 05/23/2002 17:51:04
I have racoon (the racoon-20020507a package) on 1.5ZC succesfully
establishing conections with a win2k (sp2, high encryption) machine,
using preshared keys. I'd really like to use the gss-api
authentication instead.
Has anyone ever gotten this to work? ... and if so, how? By (a)
making a win2k machine use a Heimdal kdc? Or by (b) using
ksetup/ktpass to add racoon's GSS-API krb5 principal to the PDC,
extracting a keytab, moving the keytab to the Netbsd racoon host, and
pointing the krb5.conf on the Racoon host at the Windows PDC?
I tried the former, but then the windows dialog box for adding IPsec
authentication mechanisms told me I couldn't use "kerberos
authentication" for IPsec, unless the win2k desktop was part
of a wink2 domain. And now (after having done the ksetup) I'm having
difficulty getting that wink2 box to properly interoperate with a
win2k PDC...
Also, if (b) is the way to go, where should I install and run
ksetup/ktpass on the PDC?
Thanks for any assistance,
--Jonathan
(PS: it would be great to put a copy of the relevant I-D into
the racoon docs, as its long expired...)