[70749] in North American Network Operators' Group
Re: [cee4@packet-pushers.com: Slides for NANOG31 IPsec tutorial]
daemon@ATHENA.MIT.EDU (Duane Wessels)
Mon May 24 13:50:03 2004
Date: Mon, 24 May 2004 11:49:30 -0600 (MDT)
From: Duane Wessels <cee4@packet-pushers.com>
To: Paul Wouters <paul@xtdnet.nl>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0405240953050.5391-100000@expansionpack.xtdnet.nl>
Errors-To: owner-nanog-outgoing@merit.edu
> I wonder why you made your configuration so complex.
complexity may be in the eye of the beholder.
> Why tunnel an extra IP address to the laptops?
I am working with the following constraints:
1) The IPsec gateway is a standalone box. It is not the access
point and it is not the router.
2) Want to minimize the installation of extra software, esp
for windows boxes.
Tunneling seems a natural choice because I don't know how else to
get incoming IPsec packets to the IPsec gateway, except for some
kind of ugly policy routing, which could cause other problems. Also
XP's built-in IPsec client only works as a L2TP tunnel AFAIK.
> Why use L2TP when you can fix this with simple X.509 certificates.
> Why use PSKs when you can trivially use a Certificate Agency and roll out certificates
> over a webserver on the 'hotspot'?
Aren't L2TP and X509 orthogonal? I felt that PSKs would
be simpler for this first attempt. Perhaps we can use X509 certs
at future meetings. I cannot comment on how trivial it may
or may not be because I have not tried setting up a certificate
server myself yet.
> You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam
> last week. It worked fine for linux, windwos and macosx (racoon) based systems. It
> provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file
> into the registry for WinXP/2K. It seems a lot less complex then your setup where
> everyone has to manually tunnel a single ip address onto their laptop.
Thanks for the pointer to the slides. I wish we could meet and talk
about this face-to-face, rather than exchanging slide sets.
Duane W.
