mlafon_at_arkoon.net wrote:
>
> Pascal C. Kocher <pascal.kocher_at_netbeat.biz> wrote:
> > Thank you very much for this superb patch! We have successfully tested
> > it against SafeNet SoftRemote 8.0. I can give you the appropriate VIDs
> > if you want to.
>
> I'm glad to hear that SafeNet works. Please send me the others VID SafeNet
> uses (you'll need to enable debug to see the full VID).
>
> If other people got it to work (or not) with other implementations, please
> tell me.
>
> > Until DHCP-over-IPSEC is available (the team around Andreas Steffen is
> > working on this) is it possible to implement a intermediate solution?
> > This would keep us from updating the freeswan config files for each
> > roadwarrior at home or staying in a hotel (and changing it all the
> > time), and we have about 500 of them ;)
>
> > My suggestion would be, to accept the first SA for a private class IP
> > and discard the subsequent ones until the SA is deleted. This would
> > ensure that noone can redirect traffic to his machine. Would this be a
> > way to go as intermediate solution? I'm aware that IKE Config Mode or
> > DHCP-over-IPSEC would be better solution.
>
In a major step towards full DHCP-over-IPsec support, Mario Strasser and I
will introduce the generic notation
conn rw
right=%any
rightsubnetwithin=10.0.2.0/25
auto=add
The new parameter "rightsubnetwithin" defines a bracket within which all
peer subnetworks proposed during Quick Mode must be fully contained. Thus
rightsubnet=10.0.2.0/28
rightsubnet=10.0.2.50/32
rightsubnet=10.0.2.127/32
rightsubnet=10.0.2.16/30
will be accepted, but
rightsubnet=10.0.2.128/32
rightsubnet=10.0.2.0/24
rightsubnet=10.0.0.0/8
will be rejected.
The peer subnetwork address range can be assigned either statically
by pre-configuration in the client (e.g. SSH Sentinel supports this)
or it can be dynamically requested from the home network's DHCP
server which will assign a dynamic Virtual IP from an address pool
that must be a subset of the range defined by rightsubnetwithin
(SSH Sentinel supports DHCP-over-IPsec, too).
We hope to release version 0.9.12 of the X.509 patch containing
this new feature until the end of May.
> Well, i know this is a problem. I think i'm going to allow all IP from
> predefined (by example, all private networks) ip subnets. I think that
> i'll publish a new version next week with this functionality and a few
> improvements/bug fixes.
>
> --
> Mathieu Lafon
>
Regards
Andreas
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:07 CEST