[cee4 at packet-pushers.com: Slides for NANOG31 IPsec tutorial]
Duane Wessels
cee4 at packet-pushers.com
Mon May 24 17:49:30 UTC 2004
> I wonder why you made your configuration so complex.
complexity may be in the eye of the beholder.
> Why tunnel an extra IP address to the laptops?
I am working with the following constraints:
1) The IPsec gateway is a standalone box. It is not the access
point and it is not the router.
2) Want to minimize the installation of extra software, esp
for windows boxes.
Tunneling seems a natural choice because I don't know how else to
get incoming IPsec packets to the IPsec gateway, except for some
kind of ugly policy routing, which could cause other problems. Also
XP's built-in IPsec client only works as a L2TP tunnel AFAIK.
> Why use L2TP when you can fix this with simple X.509 certificates.
> Why use PSKs when you can trivially use a Certificate Agency and roll out certificates
> over a webserver on the 'hotspot'?
Aren't L2TP and X509 orthogonal? I felt that PSKs would
be simpler for this first attempt. Perhaps we can use X509 certs
at future meetings. I cannot comment on how trivial it may
or may not be because I have not tried setting up a certificate
server myself yet.
> You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam
> last week. It worked fine for linux, windwos and macosx (racoon) based systems. It
> provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file
> into the registry for WinXP/2K. It seems a lot less complex then your setup where
> everyone has to manually tunnel a single ip address onto their laptop.
Thanks for the pointer to the slides. I wish we could meet and talk
about this face-to-face, rather than exchanging slide sets.
Duane W.
More information about the NANOG
mailing list