Re: [Design] IPSec in 2.5 Kernel?

On Thu, 20 Mar 2003, I wrote:
>
> >I get 5 hits (none useful) from:

On 03/20/2003 02:02 PM, Jim Carter wrote:
>

> I got burned on this too. Try calling it "racoon". I couldn't tell on > their web site why they misspelled the name -- acronym?

Good point -- but changing the spelling doesn't change my conclusions.

I get 26 hits from

   http://www.google.com/search?q=racoon+vpn+dhcp+documentation

One of them looked like it might be useful

   http://www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO.html

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

but in fact does not explain how to use KAME to set up a VPN with any semblance of security when the peer is using dynamic addresses (DHCP).

I'm not trying to kindle a flame war. I'm just asking a question. Does anybody know how to use KAME to set up a secure VPN of the ordinary kind detailed in the previous msg?

> "My module takes 4KB per connection" is more useful than > "your module won't scale".

You mean like this?
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/performance.html

> And also important in such an analysis is the impact on the sysop,
> typically the clueless end user.

Yes!!!!

Also go through the life cycle for the not-quite clueless netadmin who's got N=200 or N=2000 IPsec endpoints. Make sure

1. There are no workloads that grow faster than linear in N.
2. The coefficient of the linear term is small.

I'm talking about manual workloads here. Work done by computers almost doesn't count, because computers are really fast.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

> Or can we
> set it up similar to wireless networking, so (with the right tools,
> presetting the WEP key, etc.)

We should strive to do muuuuuch better than that.

Setting up WEP features is beyond the ability of most people who buy wireless equipment.

I base this assertion on data (so far unpublished AFAIK) acquired by driving around in metropolitan areas scanning for 802.11 signals and observing the level of security.