Creating a "mail gateway"
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri Jun 13 12:12:09 UTC 2008
On Thu, Jun 12, 2008 at 05:21:48PM -0400, D. Hugh Redelmeier wrote:
> I wish that were true. We tried to make it simple, but it is only
> simple to someone as knowledgeable as you :-(
It seemed pretty simple the first time I set it up many years ago.
> There are too many things to go wrong in unclear ways in the Linux
> networking stack. Openswan multiplies this by a small constant
> factor.
THere are also two ipsec stacks you can use. Netkey in the 2.6 kernel
(which I recommend since it is policy based rather than route based) and
klips (part of openswan), which is route based (which I don't recommend
using).
> I have never tried OpenVPN, so I don't know if or how they avoid these
> problems.
>
> For negotiating, the IKE protocol uses UDP.
>
> For transport, IPSec uses ESP (usually), AH (not too often), or UDP
> (fudge for NAT traversal).
Right. But they aren't tcp so you aren't imposing dilivery promises on
all traffic that didn't ask for it.
As far as I have understood, IPsec is a native component of IPv6, so why
not start learning about it now. It is really not that complicated.
> Example of complexity:
>
> PSK authentication does not work that well with "Road Warriors". A
> Road Warrior is a VPN participant that does not have a fixed IP
> address (see the use of %any your example). The protocol requires the
> Responder (the non Road Warrior end) to figure out the PSK before
> knowing the identity of the Road Warrior. So all Road Warriors must
> have the same PSK. If there are more than one, this is very bad
> crypto hygiene.
I don't actually think openswan will let you use PSK with %any anymore.
At least it didn't work when I wanted to do that a month ago. I had to
use rsasig (I didn't feel like generating certificates).
> RSA Signature authentication does not suffer this problem. But RSA
> Signature authentication, although part of the standard, is only
> implemented by *swan (FreeS/WAN, Openswan, StrongS/WAN). So that
> isn't ideal.
Yeah if you want a different client as a road warrier, you need
certificates, which are a pain, but once you setup the system to
generate certificates it works amazingly well and is very easy for the
road warrier to use.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list