Re: IPSEC documentation
- From: VANHULLEBUS Yvan <vanhu_bsd@xxxxxxxxxx>
- Date: Wed, 28 Dec 2005 17:43:39 +0100
Hi all. Coming a bit late in the discussion, but I guess I can provide
some infos....
On Wed, Dec 28, 2005 at 03:31:06PM +0000, Brian Candler wrote:
[....]
> I would like to rewrite this document (or see it rewritten) to include:
>
> - Gateways with IPSEC tunnel mode and static keys
Well, this can be interesting, but is considered as obsolete / not so
secure by most people/vendors/implementors !
> - Gateways with IPSEC tunnel mode and racoon
I can easily write this part if you want. And if someone else does
that part (and some other ones involving racoon), please notice that
port security/racoon is now obsolete and have been replaced by port
security/ipsec-tools !
And I would add "roadwarriors with IPSec tunnel mode and racoon".
> - Gateways with IPSEC tunnel mode, racoon and XAUTH/RADIUS (= Cisco road warrier)
> - IPSEC Transport mode with racoon
> - L2TP + IPSEC transport mode (= Windows road warrier)
Did someone tried such a setup ?
is there a L2TPD daemon running on FreeBSD which could be used for
that ?
Note also that, for now, this won't work easily, as it will require
dynamic SP entries (roadwarriors....), but I think racoon currently
can't deal with dynamic policies when ports specified (I'll check
that).
> plus descriptions of how to get each of those to interoperate with some
> other common IPSEC implementations.
I can provide lots of informations about that !
And the first thing to do would be to explain the
net.key.preferred_oldsa's role, and to tell everybody to set it to 0
(it is set to 1 by default).
[...]
> Also excellent would be "bump in the wire" bridging, where the gateway
> negotiates transport-mode security on behalf of clients without their being
> aware of it, but as far as I know only OpenBSD supports that.
What is the benefit of transport mode for that, instead of just using
an IPSec tunnel between the gates ???
Yvan.
--
NETASQ - Secure Internet Connectivity
http://www.netasq.com
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: IPSEC documentation
- From: Alexey Popov
- Re: IPSEC documentation
- From: Brian Candler
- Re: IPSEC documentation
- From: Eric Masson
- Re: IPSEC documentation
- References:
- IPSEC documentation
- From: Brian Candler
- Re: IPSEC documentation
- From: Matt Emmerton
- Re: IPSEC documentation
- From: Brian Candler
- IPSEC documentation
- Prev by Date: Re: IPSEC documentation
- Next by Date: Re: IPSEC documentation
- Previous by thread: Re: IPSEC documentation
- Next by thread: Re: IPSEC documentation
- Index(es):
