[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] new to this -s-wan
From:       matti.christensen () pp ! inet ! fi (matti christensen)
Date:       2004-12-09 23:19:10
Message-ID: 41B8CF59.3050708 () pp ! inet ! fi
[Download RAW message or body]

Sirs !

i've been using super-free-s-wan with your patch, and then open-s-wan 
regently, just because i have not been aware of this project.

i need Linux ipsec because of my work - i try to explain in a short way;

- the company i'm working for produces access control and worktime 
calculation system, sells it and other security related systems - like 
burglar alarms, fire alarms, video surveillance... - for large companies 
( in nordic countries scale )

- in the access control system there is one component that needs Linux 
ipsec at the moment ( hope there will be more ) as the system is also 
sold as service ( more and more like that regently ) - meaning that the 
Customer company has only the field devices of the access control / 
worktime calculation system, and the server is owned and administrated 
by us --- a special tiny pc with a minimalistic Linux on a disk-on-chip 
doing protocol conversion from our proprietary field device network to 
tcp/ip - it goes like this;

[proprietary field device network]----------[Linux box doing protocol 
conversion to tcp/ip]=======ipsec====[server]

- so it's transport mode ipsec at the present moment with server having 
an other kind of software ipsec on it - but in the future we need to use 
separate ipsec routers on the server side

- i have cooked up the Linux installation and would like to develop it 
further;

---- have had to use PSK for authentication for now because of several 
reasons - lack of time being the most important

---- we have our own CA system used for many things and i would like to 
use that for all authentication - would it be possible to find a way of 
enrolling certificates to the Linux box using SCEP ? ( CRLs are 
published using LDAP and that appears ok )

---- free-s-wan and open-s-wan assume all users have RedHat-type of 
system, which i use if someone makes me to, using a shotgun or similar - 
hope the situation is not the same with strongswan ?! ( there is no 
document of dependensies on those projects, so i had to do a lot of 
tinkering to find out which binaries and stuff they need outside the 
ipsec code, like logger etc. - they write scripts to /etc/rc.d/init.d 
which my environment does not even have - and so on..... ) ( my platform 
is minimalistic, and also the platform used for 'development' of the 
system - take a look at Core Linux or LFS - i need to do things the hard 
way to understand what i'm doing = RH has understood the phrase 
'keep-IT-simple' all wrong ! )

---- i would like to find a bible explaining every possible keyword of 
ipsec.conf to fully administrate all different situations of usage one 
may imagine ( they come up one day ! )

---- one of the most difficult issues is NAT; many customers would like 
to set the box on a natted LAN - but as far as i know there is no way of 
initiating the connection from the box in that situation ( our server or 
future ipsec router is located outside the private LAN of course - it is 
able to receive NAT-T and has public IP )


these were my thoughts for today - i'm sure there is going to be more - 
thanks for you comments in advance and sorry for my poor english !


-- 

Please answer to mattic@iki.fi  !!

/mc

[prev in list] [next in list] [prev in thread] [next in thread]