Date: Wed, 28 Dec 2005 17:43:39 +0100 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <20051228164339.GB3875@zen.inc> In-Reply-To: <20051228153106.GA7041@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com> <001401c60bc0$a3c87e90$1200a8c0@gsicomp.on.ca> <20051228153106.GA7041@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all. Coming a bit late in the discussion, but I guess I can provide some infos.... On Wed, Dec 28, 2005 at 03:31:06PM +0000, Brian Candler wrote: [....] > I would like to rewrite this document (or see it rewritten) to include: > > - Gateways with IPSEC tunnel mode and static keys Well, this can be interesting, but is considered as obsolete / not so secure by most people/vendors/implementors ! > - Gateways with IPSEC tunnel mode and racoon I can easily write this part if you want. And if someone else does that part (and some other ones involving racoon), please notice that port security/racoon is now obsolete and have been replaced by port security/ipsec-tools ! And I would add "roadwarriors with IPSec tunnel mode and racoon". > - Gateways with IPSEC tunnel mode, racoon and XAUTH/RADIUS (= Cisco road warrier) > - IPSEC Transport mode with racoon > - L2TP + IPSEC transport mode (= Windows road warrier) Did someone tried such a setup ? is there a L2TPD daemon running on FreeBSD which could be used for that ? Note also that, for now, this won't work easily, as it will require dynamic SP entries (roadwarriors....), but I think racoon currently can't deal with dynamic policies when ports specified (I'll check that). > plus descriptions of how to get each of those to interoperate with some > other common IPSEC implementations. I can provide lots of informations about that ! And the first thing to do would be to explain the net.key.preferred_oldsa's role, and to tell everybody to set it to 0 (it is set to 1 by default). [...] > Also excellent would be "bump in the wire" bridging, where the gateway > negotiates transport-mode security on behalf of clients without their being > aware of it, but as far as I know only OpenBSD supports that. What is the benefit of transport mode for that, instead of just using an IPSec tunnel between the gates ??? Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051228164339.GB3875>