Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Version 0.9.14 of X.509 patch released

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Mon Jul 22 2002 - 00:42:19 CEST

Next message: James Harrison: "[Users] x509 Certs AND PSKs for Road Warriors"
Previous message: Justin Kreger: "*****SPAM***** RE: [Users] Mutual Business Relationship"
Next in thread: Nate Carlson: "Re: [Users] Version 0.9.14 of X.509 patch released"
Reply: Nate Carlson: "Re: [Users] Version 0.9.14 of X.509 patch released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Version 0.9.14 of the X.509 patch has been released for freeswan-1.98b
and can be downloaded from

http://www.strongsec.com/freeswan

New features:

- In a connection definition an IP protocol and optionally
the source and/or destination ports can be specified. Example:

   conn dhcp
        right=%any
        rightprotoport=udp/bootpc
        left=%defaultroute
        leftid=@pluto.strongsec.com
        leftsubnet=0.0.0.0/0 #allows DHCP discovery broadcast
        leftprotoport=udp/bootps
        rekey=no
        keylife=20s
        rekeymargin=10s
        auto=add

ipsec auto -status shows the following connection definition:

"dhcp": 0.0.0.0/0===160.85.106.10[@pulpo.strongsec.com]:17/67...%any:17/68

   Important: KLIPS does not enforce these protocol/port restrictions so
   that always the whole IP traffic is tunneled! Currently the protoport
   parameter can be used as directions for an ipchains or iptables based
   firewall, only. By means of the new environment variables
   $PLUTO_MY_PROTOCOL, $PLUTO_PEER_PROTOCOL, $PLUTO_MY_PORT, and
   $PLUTO_PEER_PORT, dynamical firewall rules can be set up and released
   in a customized updown script (see next point below).

- The template utils/_updown.x509 can be used to dynamically insert and
delete firewall rules using iptables. The script also includes a facility
to log all established or disbanded VPN connections in a concise format.

- The new parameter "strictcrlpolicy" enforces a strict CRL policy.
With the ipsec.conf setting

config setup
strictcrlpolicy=yes

   a received peer certificate will not be accepted if the corresponding
   CRL is either not found in /etc/ipsec.d/crls or if the nextUpdate
   date of the current CRL is reached and no new CRL has been made
   available. Please be aware of the severe consequences of setting
   strictcrlpolicy=yes. All connections will come to a sudden standstill
   if you forget to update the CRL in time. The default setting is
   strictcrlpolicy=no.

- The monitoring commands ipsec auto --listcerts | --listcacerts
   now additionally list the size and the keyid of the RSA public key
   contained in the certificate. The listing also indicates the possession
   of a matching RSA private key.

Kind regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: James Harrison: "[Users] x509 Certs AND PSKs for Road Warriors"
Previous message: Justin Kreger: "*****SPAM***** RE: [Users] Mutual Business Relationship"
Next in thread: Nate Carlson: "Re: [Users] Version 0.9.14 of X.509 patch released"
Reply: Nate Carlson: "Re: [Users] Version 0.9.14 of X.509 patch released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:25 CEST