[cee4 at packet-pushers.com: Slides for NANOG31 IPsec tutorial]

Paul Wouters paul at xtdnet.nl
Mon May 24 08:07:37 UTC 2004



> Subject: Slides for NANOG31 IPsec tutorial
> 
> If you plan to attend Sunday's hands-on tutorial for using the IPsec
> server at NANOG, you may want to have a look at the slides in
> advance.  You can find them at: http://www.packet-pushers.net/NANOG/ipsec/

Unfortunately, I won't be there. But I looked at your slides, since we are doing
a lot of things with IPsec and wireless as well.
 
> The slides contain URLs for sample configuration files and startup
> scripts.   Those files are also available at the above URL.

I wonder why you made your configuration so complex. Why tunnel an extra IP address
to the laptops? Why use L2TP when you can fix this with simple X.509 certificates.
Why use PSKs when you can trivially use a Certificate Agency and roll out certificates
over a webserver on the 'hotspot'? 

You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam
last week. It worked fine for linux, windwos and macosx (racoon) based systems. It
provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file
into the registry for WinXP/2K. It seems a lot less complex then your setup where 
everyone has to manually tunnel a single ip address onto their laptop.

My slides, as well as the server prototype code (which in its turn provides the client 
code for windows when needed), are available at: 

http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#EU-2004

Near the end, you will also see a few problems that Windows users can fall into. This
does not list the latest problem that has been found yet, that any packet from source
port 98 is considered 'secure' by windows, and is allowed to hit the machine regardhless
of IPsec policies (but as you said, IPsec is not a firewall)

Paul




More information about the NANOG mailing list