Date: Mon, 22 Jul 2002 00:09:41 +0100 From: "chris scott" <chris.scott@uk.tiscali.com> To: "Lupe Christoph" <lupe@lupe-christoph.de> Cc: "John Howie" <JHowie@msn.com>, <admin@gbinetwork.com>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Subject: Re: roaming ipsec policies and racoon Message-ID: <002901c2310b$b2111360$a4102c0a@viper> References: <DAEF28A9E7214B46AE7C7C66861F6308DF88@STKSRV1.securitytoolkit.com> <001001c230e7$3f22f770$a4102c0a@viper> <20020721213706.GE461@lupe-christoph.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Racoon certainly aunt well documented, the man page is all you get. Having said that I have figured out most stuff I need to now. If only winkblows would do user based preshared key lake racoon can. It would all be so easy. Interestingly how do most ppl configure their vpn ipsec policies. I found all the example ones out there would encrypt the inside of the gif,gre, whatever tunnel. This didn't make sense to me as if you added another network to one of the lans you would have to update your polices to cope with the new traffic. I just setup a tunnel, and zebra running ripd on both hosts then encrypted all tunnel traffic between both the hosts, in my case ip protocol 4 ( gif tunnel ). Works fine for me all I have to do now is configure a new interface for the new network and bang it sorts out the rest. ----- Original Message ----- From: "Lupe Christoph" <lupe@lupe-christoph.de> To: "chris scott" <chris.scott@uk.tiscali.com> Cc: "John Howie" <JHowie@msn.com>; <admin@gbinetwork.com>; <freebsd-questions@freebsd.org>; <freebsd-security@freebsd.org> Sent: Sunday, July 21, 2002 10:37 PM Subject: Re: roaming ipsec policies and racoon > On Sunday, 2002-07-21 at 19:48:47 +0100, chris scott wrote: > > thanks for all the advice, looks like a much bigger job than I inteneded 8( > > I found it a little more complicated than IP-based IPSec, but it > gives you more flexibility. The biggest problem was when I screwed > up with the srever DN. It took a while to find how you can get the > Windows XP client to tell you what it dowsn't like. Typically > Micro$oft. "Something went wrong, and as a Windows user we assume > you're too stupid to understand what." Grrrr.... > > Racoon is quite decent, but badly documented. And when I last looked, > it lacked CRL (Certificate Revocation List) support. And I needed > that for my client, so I had to use FreeS/WAN. > > Rechecking CRL support, I found this URL: > http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html > It doesn't say if CRLs work, but it looks helpful for people > wanting to do certificates. > > Lupe Christoph > -- > | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | > | I have challenged the entire ISO-9000 quality assurance team to a | > | Bat-Leth contest on the holodeck. They will not concern us again. | > | http://public.logica.com/~stepneys/joke/klingon.htm | > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002901c2310b$b2111360$a4102c0a>