Re: [cee4@packet-pushers.com: Slides for NANOG31 IPsec tutorial]
Subject: Slides for NANOG31 IPsec tutorial
If you plan to attend Sunday's hands-on tutorial for using the IPsec server at NANOG, you may want to have a look at the slides in advance. You can find them at: http://www.packet-pushers.net/NANOG/ipsec/
Unfortunately, I won't be there. But I looked at your slides, since we are doing a lot of things with IPsec and wireless as well.
The slides contain URLs for sample configuration files and startup scripts. Those files are also available at the above URL.
I wonder why you made your configuration so complex. Why tunnel an extra IP address to the laptops? Why use L2TP when you can fix this with simple X.509 certificates. Why use PSKs when you can trivially use a Certificate Agency and roll out certificates over a webserver on the 'hotspot'? You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam last week. It worked fine for linux, windwos and macosx (racoon) based systems. It provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file into the registry for WinXP/2K. It seems a lot less complex then your setup where everyone has to manually tunnel a single ip address onto their laptop. My slides, as well as the server prototype code (which in its turn provides the client code for windows when needed), are available at: http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#EU-2004 Near the end, you will also see a few problems that Windows users can fall into. This does not list the latest problem that has been found yet, that any packet from source port 98 is considered 'secure' by windows, and is allowed to hit the machine regardhless of IPsec policies (but as you said, IPsec is not a firewall) Paul
I wonder why you made your configuration so complex.
complexity may be in the eye of the beholder.
Why tunnel an extra IP address to the laptops?
I am working with the following constraints: 1) The IPsec gateway is a standalone box. It is not the access point and it is not the router. 2) Want to minimize the installation of extra software, esp for windows boxes. Tunneling seems a natural choice because I don't know how else to get incoming IPsec packets to the IPsec gateway, except for some kind of ugly policy routing, which could cause other problems. Also XP's built-in IPsec client only works as a L2TP tunnel AFAIK.
Why use L2TP when you can fix this with simple X.509 certificates. Why use PSKs when you can trivially use a Certificate Agency and roll out certificates over a webserver on the 'hotspot'?
Aren't L2TP and X509 orthogonal? I felt that PSKs would be simpler for this first attempt. Perhaps we can use X509 certs at future meetings. I cannot comment on how trivial it may or may not be because I have not tried setting up a certificate server myself yet.
You might want to have a look at the WaveSEC deployment we did at BlackHat in Amsterdam last week. It worked fine for linux, windwos and macosx (racoon) based systems. It provides an easy to use windows interface for adding a X.509 certificate (PKCS12) file into the registry for WinXP/2K. It seems a lot less complex then your setup where everyone has to manually tunnel a single ip address onto their laptop.
Thanks for the pointer to the slides. I wish we could meet and talk about this face-to-face, rather than exchanging slide sets. Duane W.
participants (2)
-
Duane Wessels -
Paul Wouters