[cee4 at packet-pushers.com: Slides for NANOG31 IPsec tutorial]

Mon May 24 17:49:30 UTC 2004

> I wonder why you made your configuration so complex.

complexity may be in the eye of the beholder.

> Why tunnel an extra IP address to the laptops?

I am working with the following constraints:

  1) The IPsec gateway is a standalone box.  It is not the access
     point and it is not the router.
  2) Want to minimize the installation of extra software, esp
     for windows boxes.

Tunneling seems a natural choice because I don't know how else to
get incoming IPsec packets to the IPsec gateway, except for some
kind of ugly policy routing, which could cause other problems.  Also
XP's built-in IPsec client only works as a L2TP tunnel AFAIK.

> Why use L2TP when you can fix this with simple X.509 certificates.
> Why use PSKs when you can trivially use a Certificate Agency and roll out certificates
> over a webserver on the 'hotspot'?

Aren't L2TP and X509 orthogonal?  I felt that PSKs would
be simpler for this first attempt.  Perhaps we can use X509 certs
at future meetings.  I cannot comment on how trivial it may
or may not be because I have not tried setting up a certificate
server myself yet.

> You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam
> last week. It worked fine for linux, windwos and macosx (racoon) based systems. It
> provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file
> into the registry for WinXP/2K. It seems a lot less complex then your setup where
> everyone has to manually tunnel a single ip address onto their laptop.

Thanks for the pointer to the slides.  I wish we could meet and talk
about this face-to-face, rather than exchanging slide sets.

Duane W.