On Wed, Mar 03, 2004 at 09:39:06AM +0100, Jaros?aw Tabor wrote:
> I don't know IPSec so good, so one question: if I will add new node
> (LAN), do I need to update configuration of all others about it ? This is
> my biggest concern...
I'm not so sure about this - anybody else?
But I think it's possible - with X.509 certificates, shouldn't you be able
to
1) Set up one root CA (certificate authority), which issues certificates
and a revocation list
2) Sign the individual LANs' certificates with that CA's key
3) Tell all IPSec routers in your LANs to trust certificates with a
signature by the root CA
4) Now, when one LAN A connects to another B for the first time, A can
send its own signed certificate. B allows the connection to be set up
due to the fact that A's certificate carries a signature of the CA.
This means that each of your 100 LANs only needs a copy of the root CA's
certificate in order to connect to any other LAN.
You must maintain a CRL (certificate revocation list) to be able to remove
certain LANs from your big VPN without updating all nodes. See the PDF
which is the first link on <http://www.strongsec.com/freeswan/>, sections
3.1 and 3.2.
HTH,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.net | 0x888354F7
¯ '` ¯
