From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Tue Nov 05 2002 - 23:24:26 CET
Matthias Gorjup wrote:
> Hello,
>
> I know that this issue has been largely discussed in the Mailing List, but I
> have not found an explicit answer to the problem we have in our company.
>
> Just a short introduction:
> We are building a SOHO device, based on MPC860 HW platform and Linux 2.4.17
> kernel, for a large european telecom company. Its purpose is to use it at
> teleworkers' side as a gateway and make them able to connect to their
> company's private network via VPN. VPN would be implemented with IPSec - and
> freeswan package seems to be the logical choice.
>
> Our question is if the following scenario is possible to implement with IPSec
> and freeswan package:
>
> H1 -------
> H2 ------- SOHO --- ADSL modem ----ISP --- INTERNET ---- GW-----priv.network
> H3 ------- dynamic IP
>
> Our SOHO device would serve as a gateway and firewall, and the teleworker
> would need to be able to access the company's private network through an
> IPSec tunnel. The company would use a CISCO router as a gateway.
>
> This would corespond to a typical scenario of connecting two private networks,
> each having an IPSec enabled gateway with a static IP address.
> The only difference is that our SOHO device would get a dynamic IP address
> from the ISP.
>
> And here are the questions:
> - could our SOHO device initiate the ipsec connection to the company's CISCO
> with a main mode and pre-shared key authentication?
Dynamic IP addresses do not allow the use of pre-shared keys
with IKE Main Mode. Assigning a single secret to all VPN clients would
be possible but is not feasible in a large-scale deployment.
> - if not, should RSA authentication be used instead?
Cisco Routers cannot work with raw RSA keys. They expect the peer to
send a X.509 certificate. Therefore you will need the X.509 patch to
make interoperability between Linux FreeS/WAN and a Cisco router
possible.
> - is using the "aggressive mode" patch a solution? Does anyone have experience
> using this patch? There is only a patch for version 1.5 available...
>
Aggressive Mode reveals the identity of the peer since the ID is
transmitted in the open. This introduces a vulnerability making
man-in-the-middle attacks possible. This is the reason why
Aggressive Mode will never be supported by standard FreeS/WAN.
> Regards and thanks in advance
>
> Matthias
Regards
Andreas
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Nov 06 2002 - 05:20:36 CET