From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 16:43:53 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9A9216A41F for ; Wed, 28 Dec 2005 16:43:53 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from corwin.easynet.fr (smarthost171.mail.easynet.fr [212.180.1.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2789C43D5D for ; Wed, 28 Dec 2005 16:43:52 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from easyconnect2121135-233.clients.easynet.fr ([212.11.35.233] helo=smtp.zeninc.net) by corwin.easynet.fr with esmtp (Exim 4.50) id 1EreOp-0001TX-BV; Wed, 28 Dec 2005 17:43:39 +0100 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 735FE3F17; Wed, 28 Dec 2005 17:43:39 +0100 (CET) Date: Wed, 28 Dec 2005 17:43:39 +0100 From: VANHULLEBUS Yvan To: Brian Candler Message-ID: <20051228164339.GB3875@zen.inc> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051228153106.GA7041@uk.tiscali.com> User-Agent: All mail clients suck. This one just sucks less. Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 16:43:54 -0000 Hi all. Coming a bit late in the discussion, but I guess I can provide some infos.... On Wed, Dec 28, 2005 at 03:31:06PM +0000, Brian Candler wrote: [....] > I would like to rewrite this document (or see it rewritten) to include: > > - Gateways with IPSEC tunnel mode and static keys Well, this can be interesting, but is considered as obsolete / not so secure by most people/vendors/implementors ! > - Gateways with IPSEC tunnel mode and racoon I can easily write this part if you want. And if someone else does that part (and some other ones involving racoon), please notice that port security/racoon is now obsolete and have been replaced by port security/ipsec-tools ! And I would add "roadwarriors with IPSec tunnel mode and racoon". > - Gateways with IPSEC tunnel mode, racoon and XAUTH/RADIUS (= Cisco road warrier) > - IPSEC Transport mode with racoon > - L2TP + IPSEC transport mode (= Windows road warrier) Did someone tried such a setup ? is there a L2TPD daemon running on FreeBSD which could be used for that ? Note also that, for now, this won't work easily, as it will require dynamic SP entries (roadwarriors....), but I think racoon currently can't deal with dynamic policies when ports specified (I'll check that). > plus descriptions of how to get each of those to interoperate with some > other common IPSEC implementations. I can provide lots of informations about that ! And the first thing to do would be to explain the net.key.preferred_oldsa's role, and to tell everybody to set it to 0 (it is set to 1 by default). [...] > Also excellent would be "bump in the wire" bridging, where the gateway > negotiates transport-mode security on behalf of clients without their being > aware of it, but as far as I know only OpenBSD supports that. What is the benefit of transport mode for that, instead of just using an IPSec tunnel between the gates ??? Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com