From: Sam Sgro (sam_at_freeswan.org)
Date: Tue Nov 26 2002 - 06:43:08 CET
-----BEGIN PGP SIGNED MESSAGE-----
Not that I can find reference to in our interop document, or a response in the
archives.
A lot depends on the IKE authentication mechanisms available. If they employ
pre-shared secrets with their roadwarriors, chances are they are employing
aggressive mode, an inherently insecure method of authentication that
FreeS/WAN doesn't support. The fact that they support DES doesn't
particularily impress me. One hopes they have big flags in their user manual
explaining how DES is insecure.
They may use further authentication mechanisms, however, to reduce their
vulnerability, which, again FreeS/WAN likely doesn't support. Interoperation
with some of these fairly proprietary VPN solutions can be difficult.
Sometimes, I think this might be on purpose - it ensures they won't lose a
client sale. To be fair, it's not as if FreeS/WAN developers have been working
overtime on providing support for additional authentication mechanisms (say,
XAUTH). User supported contributions are always welcome.
How are you currently authenticating IPSec connections for your Windows
clients? Do you know if other popular Windows VPN clients are supported for
use with their policy server? (say, SSH Sentinel?)
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPeMJ7UOSC4btEQUtAQGK2AP9GdoEsmzbwicZXrKZ/xQgrcC1WYgUrvwW
DPS6Zh9oEfqAj2kFKA7IWaK70r4GmHLIbONCHLTH22KtvxO7EISdnqNv1+1DJNy5
5krgfNBCnT+REiQ4igxFm8zVNA2jCu7HxTn8ssSAoLLJI/vc0jiSJ15943bRfrD4
k0kxpTC8tio=
=sd0I
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Nov 27 2002 - 05:20:51 CET