Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FreeS/WAN and PGPnet

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Wed, 13 Sep 2000 18:34:27 -0400
On Tue, Sep 12, 2000 at 02:39:10PM -0500, Simeon Johnston wrote:

We have decided to put FreeS/WAN on the firewall instead of PoPToP on
another machine inside the network.  This uses IPSec instead of PPTP and is
supposed to be more secure.  I am wondering if anyone knows of any problems
with this.  I have already compiled the kernel with IPSec and am going to
test it out tonight.



Any feedback about possible problems and/or possible solutions to the known
problems would be helpful.


        The place to ask this is up on the Linux FreeSWAN IPSec list,
<linux-ipsec () clinet fi>.  There have been several recent discussions
on that list very recently that are very relevant to your query.

        As things stand right now, FreeSWAN 1.5 can be made to work with
PGPNet (as mentioned in your subject, even though you didn't say anything
in the message itself) with an add-on patch for X.509 support in FreeSWAN.

        The patches will also "almost" patch the latest FreeSWAN snapshots
with a little manual patching.

        There is at least one known problem with the configuration that
appears to be a bug in PGPNet.  If the X.509 certs are too big, the
Pluto (IKE) UDP packets get fragmented.  Linux sends out fragments
in reverse order (actually results in better reassembly performance)
but PGPNet doesn't seem to be able to handle that and the negotiation
fails.  Problem occurs with 1024 bit keys and really long X.509 subjects.
Relevant information is contained in the README file with the X.509 patch.


thanks 



sim 



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: