Re: Support for L2TP/IPsec

From: David Smith <dds google com>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Support for L2TP/IPsec
Date: Sun, 25 May 2008 14:10:47 +0900

Dan Williams <dcbw redhat com> writes:

> On Fri, 2008-05-23 at 21:29 +0200, Vincent Bernat wrote:
>> OoO  En ce  dÃ©but de  soirÃ©e du  vendredi 23  mai 2008,  vers  21:23, je
>> disais:
>> 
>> > Well, this would be a bit difficult. There others IKE daemon that may be
>> > configured this way:
>> >  - isakmpd from OpenBSD accepts  to be enterily configured using a named
>> >    pipe
>> >  - iked from  Shrew Soft VPN client has an IKE  daemon that also accepts
>> >    to be configured in a similar way
>> 
>> Another thing to  know about those IKE daemons is that  only one can run
>> on the system.  Therefore, contrary to PPTP, we cannot  just spawn a new
>> one  for each  connection. The  same IKE  daemon can  handle  many IPsec
>> tunnels.
>
> That gets interesting, and that means that we need to be able to talk to
> the IKE daemon directly using a socket or something so we can have it
> bring the tunnels up or down, and so that we can get status when a
> tunnel dies or whatever.  The last one is pretty critical, so that we
> can notify the user that something has happened and that's why their VPN
> is no longer working.

I have been working on adding enough support to configure an L2TP/IPsec
connection remotely against a running strongswan pluto IKE daemon using
strongswan's whack utility. It doesn't work quite yet and I'm debating,
instead, to implement dbus support directly in pluto to support dynamic
configuration.

But this is an important time to say that if we were to have an openswan
vs. strongswan debate, strongswan supports pkcs#11 API smartcards which
means it can be used with OpenSC supported smartcards as well as
gnome-keyring and openCryptoki (i.e. TPM chip). On the other hand,
openswan only supports OpenSC supported smartcards which is a very
strong limitation going forward. Dan, this is another part of
networkmanager where in the future it will be important to support
smartcards instead of certificates and keys on disk.

Vincent, in your setup is there a strong reason you are using openswan
instead of strongswan? Please share.

Cheers,
dds

>
>
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
<#secure method=pgpmime mode=sign>

Follow-Ups:
- Re: Support for L2TP/IPsec
  - From: Vincent Bernat

References:
- Support for L2TP/IPsec
  - From: Vincent Bernat
- Re: Support for L2TP/IPsec
  - From: Dan Williams
- Re: Support for L2TP/IPsec
  - From: Vincent Bernat
- Re: Support for L2TP/IPsec
  - From: Vincent Bernat
- Re: Support for L2TP/IPsec
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]