2010/5/22, dontek <don...@gmail.com>: > Yes, thanks, I've read the man pages. I've even made the proposed > connection > work both ways. (less the DHCP working) What I was hoping for was a few > that > have more experience than I do to share their experiences and tell me some > of > the potential benefits and/or drawbacks of doing it one way or the other; > preferably specific to multiple roaming clients, with the intention of using > DHCP over IPSec, and with any OpenBSD-4.7-specific nuances. > The only OpenBSD-4.7-specific nuance that I know of, is the fixed bug in HMAC-SHA-256, that makes it incompatible with older releases. From what I tried, single point-to-point tunnel works even with Racoon on Gentoo Linux. The painful three-hundred-clicks setup under Windows I didn't find time to test against 4.7 or -current. It really depends on what you need - most road warriors are okay with transport mode (where obviously DHCP doesn't make any sense). If you're planning to connect the whole network to a single IPsec gateway (I have IPv6-over-IPv4 tunnel like this), you might want to pay attention to *what traffic do you actually want* to encrypt and add something like "flow esp from <local-net> to <local-net> type bypass", so only packets the right way are secure. But all this comes from common sense and observing what's happening. OpenBSD does this a clever way - you have enc(4) interface where you can observe whats's inside your tunnel and it doesn't mix up with what you want to see on your *real* interface. (typically only ESP/isakmp traffic)
-- Martin Pelikan
