IPSEC documentation

[VANHULLEBUS Yvan]

Hi all. Coming a bit late in the discussion, but I guess I can provide
some infos....


On Wed, Dec 28, 2005 at 03:31:06PM +0000, Brian Candler wrote:
[....]
> I would like to rewrite this document (or see it rewritten) to include:
> 
> - Gateways with IPSEC tunnel mode and static keys

Well, this can be interesting, but is considered as obsolete / not so
secure by most people/vendors/implementors !

> - Gateways with IPSEC tunnel mode and racoon

I can easily write this part if you want. And if someone else does
that part (and some other ones involving racoon), please notice that
port security/racoon is now obsolete and have been replaced by port
security/ipsec-tools !

And I would add "roadwarriors with IPSec tunnel mode and racoon".


> - Gateways with IPSEC tunnel mode, racoon and XAUTH/RADIUS (= Cisco road warrier)
> - IPSEC Transport mode with racoon


> - L2TP + IPSEC transport mode (= Windows road warrier)

Did someone tried such a setup ?
is there a L2TPD daemon running on FreeBSD which could be used for
that ?

Note also that, for now, this won't work easily, as it will require
dynamic SP entries (roadwarriors....), but I think racoon currently
can't deal with dynamic policies when ports specified (I'll check
that).


> plus descriptions of how to get each of those to interoperate with some
> other common IPSEC implementations.

I can provide lots of informations about that !

And the first thing to do would be to explain the
net.key.preferred_oldsa's role, and to tell everybody to set it to 0
(it is set to 1 by default).


[...]
> Also excellent would be "bump in the wire" bridging, where the gateway
> negotiates transport-mode security on behalf of clients without their being
> aware of it, but as far as I know only OpenBSD supports that.

What is the benefit of transport mode for that, instead of just using
an IPSec tunnel between the gates ???


Yvan.

-- 
NETASQ - Secure Internet Connectivity
http://www.netasq.com