Hi all. Coming a bit late in the discussion, but I guess I can provide some infos....
On Wed, Dec 28, 2005 at 03:31:06PM +0000, Brian Candler wrote: [....] > I would like to rewrite this document (or see it rewritten) to include: > > - Gateways with IPSEC tunnel mode and static keys Well, this can be interesting, but is considered as obsolete / not so secure by most people/vendors/implementors ! > - Gateways with IPSEC tunnel mode and racoon I can easily write this part if you want. And if someone else does that part (and some other ones involving racoon), please notice that port security/racoon is now obsolete and have been replaced by port security/ipsec-tools ! And I would add "roadwarriors with IPSec tunnel mode and racoon". > - Gateways with IPSEC tunnel mode, racoon and XAUTH/RADIUS (= Cisco road > warrier) > - IPSEC Transport mode with racoon > - L2TP + IPSEC transport mode (= Windows road warrier) Did someone tried such a setup ? is there a L2TPD daemon running on FreeBSD which could be used for that ? Note also that, for now, this won't work easily, as it will require dynamic SP entries (roadwarriors....), but I think racoon currently can't deal with dynamic policies when ports specified (I'll check that). > plus descriptions of how to get each of those to interoperate with some > other common IPSEC implementations. I can provide lots of informations about that ! And the first thing to do would be to explain the net.key.preferred_oldsa's role, and to tell everybody to set it to 0 (it is set to 1 by default). [...] > Also excellent would be "bump in the wire" bridging, where the gateway > negotiates transport-mode security on behalf of clients without their being > aware of it, but as far as I know only OpenBSD supports that. What is the benefit of transport mode for that, instead of just using an IPSec tunnel between the gates ??? Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
