From owner-freebsd-security@FreeBSD.ORG Thu Jan 26 03:23:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A53E916A420 for ; Thu, 26 Jan 2006 03:23:32 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: from web52112.mail.yahoo.com (web52112.mail.yahoo.com [206.190.48.115]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E65243D45 for ; Thu, 26 Jan 2006 03:23:32 +0000 (GMT) (envelope-from ipfreak@yahoo.com) Received: (qmail 96808 invoked by uid 60001); 26 Jan 2006 03:23:31 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Lq9qjavnXWYi69njpCJ7gye/mbsBkr0w90Za/YeStBGaWoTlraQQ4C6X72S+UfzDEavQQnYkCGa4Mj0lvBBv9ahfseWrVOoI569Y0V5WKxPzcdzuSo6goE87VXptE+wlWmlyKyqOnZ6gP8G9HIZ3iR/wNqA9NhyhQggNVbyfr5Q= ; Message-ID: <20060126032331.96806.qmail@web52112.mail.yahoo.com> Received: from [200.38.156.194] by web52112.mail.yahoo.com via HTTP; Wed, 25 Jan 2006 19:23:31 PST Date: Wed, 25 Jan 2006 19:23:31 -0800 (PST) From: gahn To: VANHULLEBUS Yvan , freebsd-security@freebsd.org In-Reply-To: <20060125142108.GB682@zen.inc> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IPsec, VPN and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2006 03:23:32 -0000 Thanks Vanhu: could you give me some tips on this knowhow? --- VANHULLEBUS Yvan wrote: > > IPsec with dynamic remote IPs is not as difficult, > especially with > racoon's generate_policy option, but you'll need to > know what you are > doing: Aggressive mode + PSK is known to be less > secure than other > modes, Main mode + PSK can't be done with remote > dynamic IPs, and Main > mode + X509 certificates need to have some X509 > certificates > knowledge... > > > But it CAN be done, it is probably NOT the most easy > way of doing > things, but it is probably the most secure, the most > interoperable and > the most "easy" to administrate when it's in > production... > > > Yvan. > > -- > NETASQ - Secure Internet Connectivity > http://www.netasq.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com