This is at http://www.sandelman.ottawa.on.ca/ietf/secwlan/KAME-SecWLan.txt

1.	Make sure that you have FreeBSD XXX, NetBSD 1.5.x or better.

2.	Make sure that you have from pkgsrc, racoon-20011215a 

	You may need one patch, 
	    http://orange.kame.net/dev/cvsweb.cgi/kame/kame/kame/racoon/ipsec_doi.c.diff?r1=1.154&r2=1.155
	if you wind up having to use PSK. We believe that it is unnecessary
	if you are using RSA public keys.	

3.	Generate a public key pair (certificate) if you have not already.

	e.g: 
	     openssl req -new -x509 -keyout newreq.pem -out newreq.pem -days VALID-DAYS

	This forces you to set a password, but you can remove it with XXX.

4.	Extract your public key. 

	Racoon only does X.509 right now.
	FreeSWAN only does raw RSA keys in DNS. Some translation is needed.
	Hopefully racoon will support raw RSA keys soon.
	
	Get fswcert-0.6-bsd.tar.gz. This is identical to the fswcert for
	Linux, but the termio.h has been replaced by termios.h.

	edit newreq.pem, split it up to /etc/openssl/certs and /etc/openssl/private

	do:

	echo -n myhost.dom.ain. 3600 IN KEY 16896 4 1 >mykey.dns
	perl -e 'print pack("H*", "'`fswcert --raw --cert mykey.pem`'");' | mmencode >>mykey.dns


5.	Get your public key into DNS. 
	If you are running Dynamic DNS, you can put this into your forward
	zone easily with something like the following, if you substiute your 
	your private file, server and zone info.

	#!/bin/sh

	host=$1

	keyrec=`cat mykey.dns`

*	nsupdate -d -v -k K$host.+157+26817.private <<EOF
*	server 192.139.46.30
*	zone dasblinkenled.org
	update delete $host KEY
	update add $keyrec
	send
	EOF

Or you can just cut&paste the file into a zone that you control. 
If you have no such zone, come to the helpdesk/contact mcr, and we will enrol you into "dasblinkenled.org" (likely using TSIG and nsupdate if we can).

=== INSERT instructions on using dhclient.

6.    Email or see us. You will need to get an IP address from us for the
      inside of your tunnel. Let this address be: F.H.I.J.

7.    Set up racoon. The "nsavax.pem" file is 
      at http://www.sandelman.ottawa.on.ca/SSW/ietf/secwlan 
      (or wherever you found this file). It was created by a hacked openssl
      that can sign FreeSWAN public keys.

path certificate "/etc/openssl/certs";
log notify ;

remote 166.63.177.44
{
	exchange_mode main;
	my_identifier fqdn "marajade.sandelman.ottawa.on.ca";
	certificate_type x509 "/etc/openssl/certs/mykey.pem" "/etc/openssl/private/mykey.pem";
	peers_certfile "/etc/openssl/certs/nsavax.pem";
	verify_cert off;
	send_cert off;
	send_cr off;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method rsasig;
		dh_group modp1536;
	}
}

	NOTE: we require MainMode, 3des and modp1536!!!
	We do not send certificates. verify_cert is off because the certificate has
	been provided.


8.	Use the following script, or a variation of this to setup the SPD,
	and hack the routing table.  If someone has a cleaner solution, please post.

#!/bin/sh

# Script for setting up KAME based system for IPsec over wireless.
#
# Created by mcr@sandelman.ottawa.on.ca
#
# $Id: KAME-WAVEsec.txt,v 1.1 2002/05/22 22:24:58 mcr Exp $
#

PATH=/usr/sbin:/sbin:$PATH export PATH
set -x

myip=$1
mydefault=166.63.184.1		# sorry, hard coded, could be guessed from netstat -rn
inner=F.H.I.J			# your IP here
innergate=166.63.179.1		# this is actually bogus, but solves certain problems.
ciphergate=166.63.177.44

. /etc/racoon/ipsec-noprivate.sh

ifconfig wi0 inet $inner netmask 255.255.255.0 alias

# following avoids actually deleting your default route
route add -net 0.0.0.0 -netmask 128.0.0.0 -ifa $inner $innergate
route add -net 128.0.0.0 -netmask 128.0.0.0 -ifa $inner $innergate

# next make sure that the path to the gateway is clear:
route add -host $ciphergate -ifa $myip $mydefault

(
	echo "spdadd $inner/32 0.0.0.0/0 any -P out ipsec esp/tunnel/${myip}-${ciphergate}/require;"
	echo "spdadd 0.0.0.0/0 $inner/32 any -P in ipsec  esp/tunnel/${ciphergate}-${myip}/require;"
) | tee /var/run/ipsec-ietf53.boot | setkey -c


9. install 

   ping to someone one the Internet. Try: noc-d.ietf53.cw.net.

DEBUGGING.

TO BE DETAILED FROM ADDITIONAL USER EXPERIENCE


$Id: KAME-WAVEsec.txt,v 1.1 2002/05/22 22:24:58 mcr Exp $