Michael Leone wrote:
I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the "plain" and x.509 patched versions.Lynn Avants said:the 509 package if you are not using certs, the 509 package probably will not work with PSK's. --It won't? Shoot. I do want to move to using certs, both between my Pix and for any remote clients to my Bering box that I may have in future. But at the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs when I do move to certs.Ah, well. I do still have all the keys and certs and all on my main Linux box; I suppose it won't be too bad to move them again later. I'll load up the ipsec instead of the ipsec509, and see where it takes me.
What *DOES* change, however, is how RSA signature keys are handled. If you have multiple "road-warrior" clients running RSA encryption and migrate to the x.509 patched version, you will have to migrate your road-warriors to x.509 certs as well. I believe this has to do with the difficulty of identifying dynamic-IP connections at authentication time, prior to an encrypted tunnel being setup.
Connections between two ends with static IP's can authenticate with anything (certs, RSA keys, or PSKs) without issue. Since full connection specifications for these tunnels are available throughout the authentication process, there are no "chicken and egg" problems trying to figure out who you're talking to, and which connection description to use.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
