Thanks a lot for all the replies. I was not able to use racoon
to do a kerberos auth based IPsec connection :(
I wanted to use
this setup to see what credentials are getting aquired by client and server when
GSS API based kerberos is used for IPSec.
Could anybody please let me
know if :
I am connecting from a system which is acting as a client to
another server. Assume that the system which is acting as server has many
application servers running such as telnet, ftp, dns, dhcp etc. Then If I
use IPSec using kerberos, do I need service tickets for all these
services ? Or Do I need only one ticket for the server system. I assume
machine based authentication will happen rather than service based authention.
Am I correct ?
Correct. The IPsec level sits at a different level than the rest of
it -- you may end up performing two different sets of Kerberos
authentication in these cases: (1) The client contacts the KDC to acquire a
service ticket for ike/machine@REALM (or
whatever your principal looks like for IPsec -- ours are machine$@REALM) and this is
used for establishing the IPsec connection. (2) The client then
performs networking operations, accessing the server's services over that
IPsec connection, and this (may) require a second service ticket
(depending on what service it is), e.g., http/machine@REALM. I
write "may," because on Windows networks, you can access SAMBA (NetBIOS) shares
using the same service ticket as for IPsec (machine$@REALM), though cifs/machine@REALM is
also supported for the same access.
In this case, I need
not bother about the application services running. Right ?
Probably not. If you are trying to test out your
IPsec connection using telnet and you don't have a telnet service
turned on, then nobody would be listening on the port to try and open a
connection in the first place. However, you can use ping (icmp) to test it
without the application services running.
please help me ?