[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
my minutes from the end client tunnel config discussion
-----BEGIN PGP SIGNED MESSAGE-----
[please post your own view]
Pertinent issues that are important to get working road
warrior/gateway tunnels:
1. end client has no permanent IP address. The ID payload
will therefore be FQDN or user@FQDN.
2. due to #1, and the fact that the ID payload is not sent
until the third exchange, a road warrior can not use
pre-shared-keys for ISAKMP using main mode. The right
pre-shared-key can not be selected. Section 5.4 of
isakmp-oakley-06.txt mentions this. Agressive mode can be
used, but obviously, it does not provide identity protection.
3. a way is needed to configure the road warrior's inner
tunnel address. Roy Pereira's isakmp-mode-cfg is an initial attempt.
4. we need some textual information in the nofity
messages. MCR will be writing a document.
5. the bootstrap problem was declared out of scope for
IPsecond.
6. we need to define *exactly* what goes into certificates
used on road warrior nodes. Rodney has a document in
preperation that addresses this for both end node and
gateways.
7. we discussed whether or not policy configuration should
be in scope for IPsecond.
] IPsec testing workshop #5, Raleigh, NC. I love airports | SSH IPsec [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |international[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |strong crypto[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQBVAwUBNP4/Ch4XQavxnHg9AQHiRAH9Erme7GDeRnO49eAL/hrvmnpEGYyPORJE
iNBRpCaynmsQsYKlH6/qyBrx/oW7YT2eAtgJltO8VImaljyF0IY8uA==
=YaDy
-----END PGP SIGNATURE-----
Follow-Ups: