IPsec, VPN and FreeBSD
VANHULLEBUS Yvan
vanhu_bsd at zeninc.net
Wed Jan 25 06:21:44 PST 2006
On Tue, Jan 24, 2006 at 06:19:15PM -0800, gahn wrote:
[....]
> As to the roaming users, very unlikely there will be
> dial-up line, but those users could be on road and
> using ISPs to connect the internal lab. both sites are
> labs.
>
> I will try the roaming clients<--->freebsd vpn server
> first.
IPsec with dynamic remote IPs is not as difficult, especially with
racoon's generate_policy option, but you'll need to know what you are
doing: Aggressive mode + PSK is known to be less secure than other
modes, Main mode + PSK can't be done with remote dynamic IPs, and Main
mode + X509 certificates need to have some X509 certificates
knowledge...
But it CAN be done, it is probably NOT the most easy way of doing
things, but it is probably the most secure, the most interoperable and
the most "easy" to administrate when it's in production...
Yvan.
--
NETASQ - Secure Internet Connectivity
http://www.netasq.com
More information about the freebsd-security
mailing list