Creating a "mail gateway"
D. Hugh Redelmeier
hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Thu Jun 12 21:21:48 UTC 2008
| From: Lennart Sorensen <lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org>
| Setting up openswan is generally very very simple.
I wish that were true. We tried to make it simple, but it is only
simple to someone as knowledgeable as you :-(
There are too many things to go wrong in unclear ways in the Linux
networking stack. Openswan multiplies this by a small constant
factor.
I have never tried OpenVPN, so I don't know if or how they avoid these
problems.
| It also handles all
| traffic types well and efficiently (no VPN should EVER use a tcp
| connection, so IPsec uses udp).
For negotiating, the IKE protocol uses UDP.
For transport, IPSec uses ESP (usually), AH (not too often), or UDP
(fudge for NAT traversal).
| Certainly with a pre shared key, IPsec is trivial. With RSA keys, it's
| still pretty simple. When using certificates, IPsec itself is pretty
| simple and nice, but generating certificates seems to be an awfully
| difficult task.
Example of complexity:
PSK authentication does not work that well with "Road Warriors". A
Road Warrior is a VPN participant that does not have a fixed IP
address (see the use of %any your example). The protocol requires the
Responder (the non Road Warrior end) to figure out the PSK before
knowing the identity of the Road Warrior. So all Road Warriors must
have the same PSK. If there are more than one, this is very bad
crypto hygiene.
RSA Signature authentication does not suffer this problem. But RSA
Signature authentication, although part of the standard, is only
implemented by *swan (FreeS/WAN, Openswan, StrongS/WAN). So that
isn't ideal.
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list