On 14.01.2004, at 21:15, Manuel Kasper wrote:
> It all boils down to this: we can make dynamic IPsec work, but all
> clients with dynamic IP addresses will have to use the same P1/P2
> settings and - sad but true - the same shared secret.
Forget what I said. With the latest racoon, I have been successful in
specifying pre-shared keys with e-mail addresses (a.k.a. USER_FQDN) as
well as domain names (a.k.a. FQDN) as the identifier. I used the
SafeNet SoftRemoteLT client for my test, which is commonly seen on
Windows machines for mobile user VPN. So - woohoo! - we can actually
have different PSKs. Now all mobile clients just need to share the same
P1 proposal, but who cares, people are probably going to use the same
encryption algorithms etc. for all clients anyway. The only thing that
is a bit ugly is that you can enter whatever you want on the client for
the remote identifier - it will be used in the policy that racoon
generates, so you'll have to trust your clients. Well, that's pretty
much a requirement if you use VPN anyway. ;)
I'll implement this into m0n0wall and release a new version as time
permits. I guess I'm going to add a new IPsec user management page
where entries consisting of an identifier (e-mail or FQDN) and a PSK
can be managed. I don't think there's a need to change the existing
support for static IP address tunnels.
On a side note, I also tried OpenVPN on a net4801 (!). Performance is
unfortunately terrible: less than 2 Mbps throughput (with Blowfish,
static key). Userland strikes back...