Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] Need help: FreeSWAN configuration

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Wed Jun 05 2002 - 18:45:27 CEST

Next message: Gunter Ohrner: "Re: [Users] Freeswan - Win 98 client"
Previous message: walter valenti: "[Users] 3DES key"
In reply to: Pierre: "Re: [Users] Need help: FreeSWAN configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----Original Message-----
From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org]On
Behalf Of Pierre
Sent: Mittwoch, 5. Juni 2002 10:36
To: users_at_lists.freeswan.org
Subject: Re: [Users] Need help: FreeSWAN configuration

>Thanks Andreas and Doug for your help, I really appreciate.
>The only problem to create a new certificate for each roadwarrior (beyond the
fact that I have to create >> >them) is an administration problem:
>1) I will have to declare each connection in my ipsec.conf file no more
left=%any :(

Is not necessary. left=%any still accepts any peer with a certificate
issued by a trusted CA

>2) I will have to distribute each certificate to the roadwarriors
> (via floppy disk for example)

If you had a single certificate and a single private key for all
roadwarriors you would have to distribute it by floppy, too!
So with personalized certificates you get more security but besides
from generating the cert not more handling overhead.

>3) I will have to modify the configuration of my VPN Gateway/Firewall each time
>a completely new host has to access my private network
>Ok for 10 machines but for 100 or even more....
>It is an heavy administration work but it seems that security has a price !

As mentioned under 1) a single roadwarrior connection definition is
sufficient to handle hundreds of clients!

conn rw
        left=%any
        leftrsasigkey=%cert
        auto=add

if some of or all of your roadwarriors are behind NAT-boxes with IPsec
passthrough or possess a virtual IP you can define

conn rw-with-virtual-ip
        left=%any
        leftrsasigkey=%cert
        leftsubnetwithin=10.1.0.0/16
        auto=add

Each client could then have virtual IP in the range
10.1.0.1 .. 10.1.255.254.

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
===============================================================[ZHW]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Gunter Ohrner: "Re: [Users] Freeswan - Win 98 client"
Previous message: walter valenti: "[Users] 3DES key"
In reply to: Pierre: "Re: [Users] Need help: FreeSWAN configuration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:13 CEST