Hosting Provided By

Re: [Design] Re: [Users] multiple ipsec.secrets entries

From: Andreas Steffen <andreas.steffen(at)strongsec.net>
Date: Fri Feb 28 2003 - 06:33:57 EST

Paul Wouters wrote:
> On Fri, 28 Feb 2003, Andreas Steffen wrote:

>>Certificate based connections always find the correct
>>private key in ipsec.secret because a link to the
>>certificate loaded via the leftcert command is maintained in
>>the connection description which allows to match the public
>>key contained in the certificate to the public key in the
>>private key representation.

>
>
> I don't think this is always true. The case that Ken and me

This cannot be true. If roadwarrior connection definitions exists FreeS/WAN as a responder will first try these before falling back to opportunistic mode. Can you provide a barf?

> 3) opportunistc encryption failed, road warrior doesnt support it

Actually this has nothing to do with the selection of private keys but rather with the simultaneous interaction of opportunistic mode and "normal" roadwarrior connections.

> I might be wrong in the inner workings of Pluto, but the OE connection

Again, please provide a barf.

>>- Although not mandatory, the local public key can be defined
>>   in connections based on raw RSA keys by using the leftrsasigkey
>>   parameter. Since X.509-1.1.6 for freeswan-2.00 alread supports
>>   both X.509 and OpenPGP certificates, as a thirk class, a link to
>>   the raw public key could be created in the connection description
>>   which would allow the private key to be found in ipsec.secrets
>>   irrespective of its position in the list.

>
>
> We started experimenting with this, but didn't finish it so far. What

>>This would also introduce
>>   support of multiple RSA private keys in roadwarrior connections based
>>   on raw RSA public keys. I could implement this feature within
>>   the next month but for freeswan-2.00, only.

>
>
> I'll leave those decisions up to the people involved. I'm just a volunteer :)

Do you need help?

Regards

Andreas

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65

==========================================[strong internet security]===

Content Security by MailMarshal

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Fri Feb 28 19:15:26 2003

This message: [ Message body ]
Next message: Hugh Daniel: "[Design] Making FreeS/WAN harder to use, INTENTIONALLY."
Previous message: Andreas Steffen: "Re: [Design] Re: [Users] multiple ipsec.secrets entries"
In reply to Paul Wouters: "Re: [Design] Re: [Users] multiple ipsec.secrets entries"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:32 EDT