Date: Wed, 13 Feb 2002 00:06:42 +0100 From: Dan Lukes <dan@obluda.cz> To: freebsd-security@freebsd.org Subject: Re: Questions (Rants?) About IPSEC Message-ID: <3C69A002.5307156C@obluda.cz> References: <20020207163347.51C606B29@mail.cise.ufl.edu> <200202072142.g17LgDL69359@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote: > You are wrong. There are two distinct models: you can have pre-shared > keys, in which case you have no certificates and a single secret key > for every pair of communicating entities; or you can use public-key > certificates. I have some issues with the way the certificate support > works, that's not one of them. Pre-shared keys are not necesarily > specific to an IP address; you can use any type of identifier > supported in the IKE protocol. Note, the IKE knows two modes of establishing communication "main" and "agressive". Non-IP identifiers are avaiable only in "agressive" mode (it's because the targed need to use apropriate key to compute hash used i first response, but type identifiers are send later by the initiator). ---- Rob Frohwein wrote: > The intention with ipsec is that you dont need all public certs > from all your peers. > You only need (all) Ca certs > If you start a session , the remote party (racoon) sends its cert. > Your local racoon looks if it has a CA cert which has signed > your peers cert. > It the verifies the peer cert. Do you the racoon use an CRL ? I don't want to change CA and re-issue all certificates in case of compromise of one key. I have working configurations FBSD<->FBSD and FBSD<->W2K, both on static adresses, with pre-shared keys and with x509 certs. I failed to win over 'generate_policy' statement and dynamic IP support for now, but I'm still trying. Dan -- Dan Lukes tel: +420 2 21914205, fax: +420 2 21914206 root of FIONet, KolejNET, webmaster of www.freebsd.cz AKA: dan@obluda.cz, dan@freebsd.cz, dan@kolej.mff.cuni.cz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C69A002.5307156C>