[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mobile IPv6 - IPsec interaction.
In message <sjm3dezrn4k.fsf@rcn.ihtfp.org>, Derek Atkins writes:
>
>Unfortunately there is no standard certificate exchange format for
>IPSec (yet?). But you are right, if you have a real certificate with
>a real i-d binding, then yes, you don't need to include the key in the
>policy, the identification is sufficient.
Even PKIX is sufficient for *that* (use the SubjAltName), and most
implementations (not FreeSWAN) support that.
>But snide comments aside, you _can_ do this today: you set your policy
>to build a tunnel that authorizes your mobile host (based on some
>identification) to tunnel packets as your home address. Seriously, it
>is that simple. I admit that _how_ you set your policy is IPSec
>implementation specific. However, _what_ you need to setup isn't.
Absolutely. I know OpenBSD supports this, and I believe KAME does as
well. I'd be surprised if major vendors can't do this as well.
-Angelos
References: