Comments inline.

From: sandy s []
Sent: Thursday, December 08, 2005 8:00 PM
To:;;; Nathan Herring;;
Subject: Re: [Ipsec-tools-devel] Problem of racoon and GSS API.


Thanks a lot for all the replies. I was not able to use racoon to do a kerberos auth based IPsec connection :(

I  wanted to use this setup to see what credentials are getting aquired by client and server when GSS API based kerberos is used for IPSec.

Could anybody please let me know if :
I am connecting from a system which is acting as a client  to another server. Assume that the system which is acting as server has many application servers running such as telnet, ftp, dns, dhcp etc.  Then If I use IPSec using kerberos,  do I need service  tickets for all these services ?  Or Do I need only one ticket for the server system. I assume machine based authentication will happen rather than service based authention. Am I correct ? 
Correct. The IPsec level sits at a different level than the rest of it -- you may end up performing two different sets of Kerberos authentication in these cases: (1) The client contacts the KDC to acquire a service ticket for ike/machine@REALM (or whatever your principal looks like for IPsec -- ours are machine$@REALM) and this is used for establishing the IPsec connection. (2) The client then performs networking operations, accessing the server's services over that IPsec connection, and this (may) require a second service ticket (depending on what service it is), e.g., http/machine@REALM. I write "may," because on Windows networks, you can access SAMBA (NetBIOS) shares using the same service ticket as for IPsec (machine$@REALM), though cifs/machine@REALM is also supported for the same access.

In this case, I need not bother about the application services running. Right ?  
Probably not. If you are trying to test out your IPsec connection using telnet and you don't have a telnet service turned on, then nobody would be listening on the port to try and open a connection in the first place. However, you can use ping (icmp) to test it without the application services running. 

Could you please help me ?

- Sandy.