North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [[email protected]: Slides for NANOG31 IPsec tutorial]
> I wonder why you made your configuration so complex. complexity may be in the eye of the beholder. > Why tunnel an extra IP address to the laptops? I am working with the following constraints: 1) The IPsec gateway is a standalone box. It is not the access point and it is not the router. 2) Want to minimize the installation of extra software, esp for windows boxes. Tunneling seems a natural choice because I don't know how else to get incoming IPsec packets to the IPsec gateway, except for some kind of ugly policy routing, which could cause other problems. Also XP's built-in IPsec client only works as a L2TP tunnel AFAIK. > Why use L2TP when you can fix this with simple X.509 certificates. > Why use PSKs when you can trivially use a Certificate Agency and roll out certificates > over a webserver on the 'hotspot'? Aren't L2TP and X509 orthogonal? I felt that PSKs would be simpler for this first attempt. Perhaps we can use X509 certs at future meetings. I cannot comment on how trivial it may or may not be because I have not tried setting up a certificate server myself yet. > You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam > last week. It worked fine for linux, windwos and macosx (racoon) based systems. It > provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file > into the registry for WinXP/2K. It seems a lot less complex then your setup where > everyone has to manually tunnel a single ip address onto their laptop. Thanks for the pointer to the slides. I wish we could meet and talk about this face-to-face, rather than exchanging slide sets. Duane W.
|