[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] isakmpd - no joy...
 Date:  Wed, 14 Jan 2004 22:21:23 +0100
On 14.01.2004, at 21:15, Manuel Kasper wrote:

> It all boils down to this: we can make dynamic IPsec work, but all 
> clients with dynamic IP addresses will have to use the same P1/P2 
> settings and - sad but true - the same shared secret.

Forget what I said. With the latest racoon, I have been successful in 
specifying pre-shared keys with e-mail addresses (a.k.a. USER_FQDN) as 
well as domain names (a.k.a. FQDN) as the identifier. I used the 
SafeNet SoftRemoteLT client for my test, which is commonly seen on 
Windows machines for mobile user VPN. So - woohoo! - we can actually 
have different PSKs. Now all mobile clients just need to share the same 
P1 proposal, but who cares, people are probably going to use the same 
encryption algorithms etc. for all clients anyway. The only thing that 
is a bit ugly is that you can enter whatever you want on the client for 
the remote identifier - it will be used in the policy that racoon 
generates, so you'll have to trust your clients. Well, that's pretty 
much a requirement if you use VPN anyway. ;)

I'll implement this into m0n0wall and release a new version as time 
permits. I guess I'm going to add a new IPsec user management page 
where entries consisting of an identifier (e-mail or FQDN) and a PSK 
can be managed. I don't think there's a need to change the existing 
support for static IP address tunnels.

On a side note, I also tried OpenVPN on a net4801 (!). Performance is 
unfortunately terrible: less than 2 Mbps throughput (with Blowfish, 
static key). Userland strikes back...

- Manuel