[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] new to this -s-wan
From: matti.christensen () pp ! inet ! fi (matti christensen)
Date: 2004-12-09 23:19:10
Message-ID: 41B8CF59.3050708 () pp ! inet ! fi
[Download RAW message or body]
Sirs !
i've been using super-free-s-wan with your patch, and then open-s-wan
regently, just because i have not been aware of this project.
i need Linux ipsec because of my work - i try to explain in a short way;
- the company i'm working for produces access control and worktime
calculation system, sells it and other security related systems - like
burglar alarms, fire alarms, video surveillance... - for large companies
( in nordic countries scale )
- in the access control system there is one component that needs Linux
ipsec at the moment ( hope there will be more ) as the system is also
sold as service ( more and more like that regently ) - meaning that the
Customer company has only the field devices of the access control /
worktime calculation system, and the server is owned and administrated
by us --- a special tiny pc with a minimalistic Linux on a disk-on-chip
doing protocol conversion from our proprietary field device network to
tcp/ip - it goes like this;
[proprietary field device network]----------[Linux box doing protocol
conversion to tcp/ip]=======ipsec====[server]
- so it's transport mode ipsec at the present moment with server having
an other kind of software ipsec on it - but in the future we need to use
separate ipsec routers on the server side
- i have cooked up the Linux installation and would like to develop it
further;
---- have had to use PSK for authentication for now because of several
reasons - lack of time being the most important
---- we have our own CA system used for many things and i would like to
use that for all authentication - would it be possible to find a way of
enrolling certificates to the Linux box using SCEP ? ( CRLs are
published using LDAP and that appears ok )
---- free-s-wan and open-s-wan assume all users have RedHat-type of
system, which i use if someone makes me to, using a shotgun or similar -
hope the situation is not the same with strongswan ?! ( there is no
document of dependensies on those projects, so i had to do a lot of
tinkering to find out which binaries and stuff they need outside the
ipsec code, like logger etc. - they write scripts to /etc/rc.d/init.d
which my environment does not even have - and so on..... ) ( my platform
is minimalistic, and also the platform used for 'development' of the
system - take a look at Core Linux or LFS - i need to do things the hard
way to understand what i'm doing = RH has understood the phrase
'keep-IT-simple' all wrong ! )
---- i would like to find a bible explaining every possible keyword of
ipsec.conf to fully administrate all different situations of usage one
may imagine ( they come up one day ! )
---- one of the most difficult issues is NAT; many customers would like
to set the box on a natted LAN - but as far as i know there is no way of
initiating the connection from the box in that situation ( our server or
future ipsec router is located outside the private LAN of course - it is
able to receive NAT-T and has public IP )
these were my thoughts for today - i'm sure there is going to be more -
thanks for you comments in advance and sorry for my poor english !
--
Please answer to mattic@iki.fi !!
/mc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic