Giorgio Alfarano wrote:
> Hi, consider this simple network physical layout
>
>
>
> main GW
> !
> ______________!__________________
> ! !
> ! !
> PcA PcB PcC .................... PcZ
>
>
> I've a local network (PcA, PcB, PcC.......) and want to secure connect
> via ipsec every PcX . I want mainly that every PcX connects with mainGW
> (this has all public keys from PCx) while every PcX has mainGW public
> key. This works.
> I would like that PcA could talk via ipsec with PcZ ,in example , but i
> dont want that PcA knows PcZ public key and viceversa. So i'm wondering
> if i can configure in some way mainGW (which has all public keys of
> PcXs) to let PcA and PcZ to talk via ipsec.
this could readily be achieved using x.509 certificates. in principle,
you would set up a so called certification authority (CA, don't worry
about the terms if you don't know them yet), create and put onto each
computer in your environment 1) a root certificate and 2) a dedicated
keypair and signed certificate that you create in your CA environment,
and set up your ipsec.conf files in the appropriate manner.
a good starting point for reading is
http://www.strongsec.com/freeswan/index.htm
where you would also find the x509patch to add the required
functionality to the linux kernel and the frees/wan stack. if you are
running a commercial linux distribution, x.509 support might already be
bundled up with frees/wan. such is the case with SuSE linux (at least
with versions 7.x). i would say that you should spare some days to get
through the details, though.
hth
sven (golle at informatik dot uni-bremen dot de)
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST