Re: [Users] Can freeswan initiate connections automatically?

John,

So, are you saying that in the linux-to-cisco direction, I could use OE to accomplish this? I sort of ignored OE because it seemed to me that it would only work between freeswan boxes, maybe then this is not the case at all.

If what you are saying is correct, about being able to work with freeswan at
one end and something else at the other, then I need to look further into this OE capability. If I use preshared keys (for IKE) then I'm not sure why
keying material needs to come from DNS, and why this needs to happen in order for OE to take place, but I need to read more about OE.

Does OE work with transport mode as well as tunnel mode?

Thanks much,

John

                                                                                                      
                    "John S.                                                                          
                    Denker"              To:     "John J. Haluska"            
                                    Haluska/Telcordia)                                           
                                         Subject:     Re: [Users] Can freeswan initiate connections   
                    03/27/03             automatically?                                               
                    09:43 AM                                                                          
                                                                                                      
                                                                                                      

On 03/27/2003 08:31 AM, John J. Haluska wrote: >
> I have Cisco access routers talking to Linux boxes,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

How many such boxes?

> it's important to what I'm doing that the tunnels be set up at the

Why is this important?

Unless you've got a huuuuge number of Cisco boxes, you will get better performance if you nail up the connections in advance.

> My reading of the docs is that OE only works

OE does not require freeswan at both ends. Assuming you've got freeswan at "this" end, all you need is rfc-compliant IPsec at the far end, plus (!) control of the reverse DNS for the wild-side address of the far end.

The OE initiator obviously needs a database of keying material, and right now the only type of database supported by freeswan is DNS. If (against repeated advice) you insist on using on-demand connections, and you can't get proper control of the reverse DNS, you can run named(8) on each freeswan box and brutally take control (locally) of the relevant reverse DNS entries.