GSSAPI and racoon

[Victor Sudakov]

Dear Colleagues, 

Is anyone running GSSAPI+IKE (racoon)?

I have a Heimdal realm with a dozen FreeBSD hosts in it. I use GSSAPI
for ssh access, also for CVS and SVN authentication. So I thought it
would be a good idea to use Kerberos for IPSec as well, but the
documentation is scarce, in fact only the very spartan
/usr/local/share/doc/ipsec-tools/README.gssapi and
/usr/local/share/examples/ipsec-tools/racoon.conf.sample-gssapi

The questions are:

1. Where does racoon expect to find the keytab?
  
2. Does the ISAKMP+GSSAPI negotiation process involve racoon
requesting Kerberos tickets from the KDC (in other words, which is the
Kerberos server and which the Kerberos client)?  Where does the client   
store the ticket?
  
3. Does it mean that any host with a valid keytab can negotiate a SA with any
other host with a valid keytab? Like, if I have host/host1.example,
host/host2.example and host/host3.example all runnning racoon, they
can all form SAs?

4. How do I use GSSAPI for some hosts and a preshared key for other
hosts? Can I fallback to a preshared key if GSSAPI fails?

5. Is there a good howto? :-)

Thank you very much in advance for any input.



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
AS43859