On Thu, Nov 02, 2006 at 03:51:04PM -0800, Bryan Irvine wrote:
> On 11/2/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> >On Wed, Nov 01, 2006 at 05:49:18PM -0800, Bryan Irvine wrote:
> >> I'm going to upgrading a couple of our firewalls soon and as part of
> >> the upgrade I will be implementing VPN between a couple of our sites.
> >>
> >> Does this page still apply: http://www.securityfocus.com/infocus/1859
> >
> >Yes, although some additions have been made since (notably, AH works
> >too).
> >
> >> Any pitfalls or changes I should watch out for?
> >
> >Filtering IPsec traffic might take some experimentation to get right.
> >
> >> These firewall are running CARP.
> >
> >Don't forget sasyncd; it has gotten *much* better in 4.0.
>
> Now that's a nice touch :-)
>
>
> Also[1], there may be the need for an occasional connection from users
> just using the windows vpn client. Anybody doing this? I rarely even
> see windows so I'm not sure what to look for there.
>
> Do I need to import a key of some sort, or set authentication somehow?
There is some stuff in the archives about Windows clients; the consensus
seems to be that the built-in Windows stuff sucks, and that better
third-party clients can be had for free (as in beer). I remember hearing
Greenbow somewhere.
In such a case, there's no more need to use keys than with another
OpenBSD box (as in, you probably should use them, but it's not
required).
Joachim
[1] Footnote not found. Not mine, anyway.
