Notes about the use of IPSec at CAL

we're using GSSAPI with krb5 for the IPSec authentication step.

You can read more about IPSec here

GSSAPI finickiness

compilation issues

we needed to enable gssapi authentication in both the ubuntu and debian packages. This also entailed fixing a few bugs in the way that gssapi is used when connected to MIT's krb5 implementation. A bug fixed against krb5 actually resolves this for debian etch, but it might not make it into dapper in time.

configuration issues

we're configuring racoon.conf statically (not using racoon-tool) and it appears to be important that all the systems explicitly specify their GSSAPI ID as 'host/fubar.astro.columbia.edu' (where fubar is the name of the machine. On ubuntu's racoon, that parameter is gss_id. on debian's racoon, it's gssapi_id. i think the name of this variable changed between versions.

it's also important that the machines use latin1 as their on-the-line encoding standard (this is the gss_id_enc parameter for racoon in breezy). sarge racoon isn't able to use utf16-le, which is the new default, which is why the breezy machines need to be set back to latin1.

kstart

for whatever reason, racoon doesn't seem to want to just use the system keytab directly. it wants a credential cache as well. i've gotten around this by forcing racoon to run inside of kstart, which gives it the appropriate ccache. However, that does weird things to the pidfile, so i hacked racoon to accept another option (-I) to force it to write out a pid file even if it runs in the background.

workstation issues

there are some weird dependency issues going on with the workstations: when either /etc/init.d/racoon stop or /etc/init.d/setkey stop get called at shutdown, you can't unmount the NFS-mounted filesystems after that.

Similarly, at boot, you need to make sure that the IPSec SAs to jupiter are already set up properly before the nfs filesystem tries to be mounted.

one simple (but not terribly good) solution to this would be to add an initscript which connects to jupiter directly, forcing the issue until the link comes up successfully.