Ease of setting up IPSEC
John Gilmore
gnu at toad.com
Fri Oct 10 17:27:57 EDT 2003
Rich $alz said:
> it might be more useful to create a user-friendly management
> interface to IPsec implementations to join the zero or so already
> out there. The difficulty in setting up any IPsec tunnel is what's
> been motivating the creation of (often insecure) non- IPsec VPN
> software, so what'd be a lot more helpful than (no offense, but) yet
> another SSL implementation is some means of making IPsec easier to
> use
Has anybody on this list tried setting up FreeS/WAN recently, by
following the Quick Start instructions? It's pretty simple.
We've been making it simpler in just about every release. Now you
basically have to download the RPM, install it, it spits out a public
key, and you install that public in your DNS in-addr records. Then
the software automatically brings up VPN tunnels on demand, to any
other machine that's done the same thing.
A lot of the hair in other IPSEC implementations comes from having to
set up and transport keys, to sign things with X.509 certs and check
the signatures, to figure out what subnets are protected with which
keys, etc. We push those jobs into the DNS, so it gets done once, and
then every node on the network can just look up the answer.
John
PS: Yes, this approach has issues: but ease of setup shouldn't be one
of them.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list