Hello,
I don't know if this will help you, but
"When passive is specified, isakmpd(8) will not
immediately start negotiation of this tunnel, but wait for an
incoming request from the remote peer."
You can write a program that initialize connection, transmit your data and
finish it.
I have something seemed, but I use zebedee, and to openbsd have a package. I
wrote a tool that connect, send data and disconnect
This is only a idea
Cheers,
2011/4/13 Shane Lazarus <shane.laza...@pobox.com>
> Heya
>
> On Thu, Apr 14, 2011 at 3:09 AM, Scott McEachern <sc...@blackstaff.ca
> >wrote:
>
> > On 04/13/11 09:38, Randal L. Schwartz wrote:
> >
> >> "Scott" == Scott McEachern<sc...@blackstaff.ca> writes:
> >>>>>>>
> >>>>>> Scott> It's called "port knocking". Google is your friend here.
> >>
> >> And if you recommend or use port knocking, you're an amateur at crypto.
> >> If adding 8 sniffable bits to your effective key length makes you
> >> significantly more secure, you've lost the game already.
> >>
> >>
> > I'm not advocating it, but it is what he's asking about.
> >
> > I should have added "This is not a good idea", but I was hoping he'd
> figure
> > that out by reading about it.
> >
> > Nemir, you might want to go back and find out exactly what problem the
> bank
> > is trying to solve with their idea.
> >
> >
> Actually from what I read in his email, it isn't Port knocking he is after.
>
> What the Bank likely wants is to not have any n+ client(s) out of however
> many maintaining a permanent VPN through their infrastructure, thereby
> leading to a potential DoS for their other clients.
> ( based on several appliances having hardware / licensing limitations on
> how
> many concurrently active VPNs are running at once )
>
> Thus what the Bank would like is for the VPN connection to be torn down
> after the relevant data is transmitted.
>
> And no, I don't see a "disconnect" option after a brief read of the IPSEC
> man pages either.
>
> Shane
