Re: Support for L2TP/IPsec

From: Vincent Bernat <bernat luffy cx>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Support for L2TP/IPsec
Date: Fri, 23 May 2008 21:23:51 +0200

OoO En  cette nuit  nuageuse du  vendredi 23 mai  2008, vers  00:20, Dan
Williams <dcbw redhat com> disait:

>> LT2P/IPsec becomes a popular choice for setting up VPN. Security is greater
>> than PPTP solutions and clients are included in Windows and Mac OS X.
>> Unfortunately, this is quite difficult to setup on Linux. Having a plugin
>> for network-manager will be great.

> So we need a few things from openswan.  The first is to either accept
> command-line arguments for configuration, or to accept configuration
> from stdin and not from a file.  There's quite a few reasons why we
> shouldn't be writing out a config file, and there's more reasons why we
> shouldn't be pointing openswan at an existing config file.

Well, this would be a bit difficult. There others IKE daemon that may be
configured this way:
 - isakmpd from OpenBSD accepts  to be enterily configured using a named
   pipe
 - iked from  Shrew Soft VPN client has an IKE  daemon that also accepts
   to be configured in a similar way

I will test  if one of them  is able to establish a  proper IPsec tunnel
suitable for L2TP/IPsec.

>> - setup L2TP part with xl2tpd (which needs ppp)

> Hmm, we'll need to control xl2tpd then too, but we'll need to be able to
> tell it what options to pass to pppd, not give it a config file.  We
> also need to be able to feed secrets to it over stdin or via a plugin if
> possible.  This is what's done for pppd, since pppd allows plugins to
> handle the authentication.

xl2tpd can either use a plugin for pppd and do the authentication itself
or just  let pppd do the  authentication. So the actual  plugin for pppd
will do the trick.  Concerning pppd options, unfortunately, xl2tpd seems
to have no other options than to pass a file to pppd.

> The problem with config files is that we'd be writing them out every
> time we launch the daemon, because the VPN settings come from a variety
> of sources.  They are pulled from the user's session store (GConf on
> Gnome) or from system settings, they don't get stored in the native
> daemons config files.

Can't we write temporary files? xl2tpd accepts to take any configuration
file.

Thanks for your insight!
-- 
BOFH excuse #63:
not properly grounded, please bury computer

Follow-Ups:
- Re: Support for L2TP/IPsec
  - From: Vincent Bernat
- Re: Support for L2TP/IPsec
  - From: Dan Williams

References:
- Support for L2TP/IPsec
  - From: Vincent Bernat
- Re: Support for L2TP/IPsec
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]