Re: IPSec configuration (was: Fedora Core 2 wishlists)

[Dax Kelson <dax gurulabs com>]

On Mon, 2003-12-08 at 10:38, Michael K. Johnson wrote:
> On Mon, Dec 08, 2003 at 05:31:27PM +0000, Keith Sharp wrote:
> > 1) IPSEC kernel support.  I am assuming we will get this as part of the
> > move to 2.6.
> 
> Yes.
> 
> > 2) IPSEC user space daemons and tools.
> 
> Yeah, we already packaged them for RHEL3.

racoon. Uggh.

As a user and an administrator of variety of production systems IKE
daemons ranging from racoon, isakmpd, Solaris 8/9 IKE, FreeSWAN, and
SuperFreeSWAN, I can comment that I've found all but SuperFreeSWAN
sorely lacking.

I don't do the John Gilmore opportunistic encryption (OE)
save-the-free-world stuff (although I respect that, and the idea is
cool), I just use SuperFreeSWAN as:

* An IPsec VPN concentrator
* An IPsec client on road-warrior Linux laptops
* An IPsec client for LAN-LAN

The critical features the IKE daemon are:

* Ability to be configured as VPN concentrator supporting both road 
warriors and remote LANs as well as transport mode (aka host-to-host)
all at the same time.
* X.509 certificate support
* Virtual-IP support to consistent inner IP address in ESP packets. This
allows no-headache IPsec through non-brain dead NATing routers/firewalls
without resorting to the following.
* NAT-T (ala ESP-over-UDP) for IPsec through brain dead NATing
routers/firewalls.

The other nice features are:

* AES support
* Notify/Delete SA (for Cisco interop)

SuperFreeSWAN's IKE daemon (pluto) gets you all the above and can sit on
top of the native 2.6 kernel IPsec.

Dax Kelson
Guru Labs