From owner-freebsd-security@FreeBSD.ORG  Thu May  8 13:40:14 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C039137B401
	for <freebsd-security@FreeBSD.org>;
	Thu,  8 May 2003 13:40:14 -0700 (PDT)
Received: from pimout1-ext.prodigy.net (pimout1-ext.prodigy.net
	[207.115.63.77])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1730F43F85
	for <freebsd-security@FreeBSD.org>;
	Thu,  8 May 2003 13:40:14 -0700 (PDT)
	(envelope-from metrol@metrol.net)
Received: from metlap (adsl-67-121-60-9.dsl.anhm01.pacbell.net [67.121.60.9])
	h48KeCPg055572
	for <freebsd-security@FreeBSD.org>; Thu, 8 May 2003 16:40:13 -0400
From: Michael Collette <metrol@metrol.net>
To: FreeBSD Security <freebsd-security@FreeBSD.org>
Date: Thu, 8 May 2003 13:39:43 -0700
User-Agent: KMail/1.5.1
References: <200305071921.33596.metrol@metrol.net>
	<20030508122637.GA97715@madman.celabo.org>
In-Reply-To: <20030508122637.GA97715@madman.celabo.org>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200305081339.43667.metrol@metrol.net>
Subject: Re: VPN through BSD for Win2k, totally baffled
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2003 20:40:15 -0000

On Thursday 08 May 2003 05:26 am, Jacques A. Vidrine wrote:
> It's hard to tell from your message where you are getting lost, but I'll
> give it a shot.  Assuming you have all your certificates (let's call
> them client.crt/client.key, server.crt/server.key, and ca-local.crt):

Took me a while to figure out how to even ask the question!  After heading 
down a bunch of dead ends and all.

A couple of follow up questions to this.  If I go the route of handing out 
certificates to end users, is there a mechanism for revoking their rights to 
enter?  Employees do get other jobs, and almost all of them are using laptops 
which they travel with.  We've had folks get laptops stolen.

Is the cert an all or nothing kinda deal.  For instance, I need a different 
level of access than a salesperson.  We have a programmer who needs access to 
different resources than myself or sales.  All of these outside folks are on 
dynamic IPs.

With these additional needs in play am I still wise to head down the road of 
IPSec certificates?

Later on,
-- 
"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark 
to read."
 - Groucho Marx