Dan Williams <[EMAIL PROTECTED]> writes: > On Fri, 2008-05-23 at 21:29 +0200, Vincent Bernat wrote: >> OoO En ce début de soirée du vendredi 23 mai 2008, vers 21:23, je >> disais: >> >> > Well, this would be a bit difficult. There others IKE daemon that may be >> > configured this way: >> > - isakmpd from OpenBSD accepts to be enterily configured using a named >> > pipe >> > - iked from Shrew Soft VPN client has an IKE daemon that also accepts >> > to be configured in a similar way >> >> Another thing to know about those IKE daemons is that only one can run >> on the system. Therefore, contrary to PPTP, we cannot just spawn a new >> one for each connection. The same IKE daemon can handle many IPsec >> tunnels. > > That gets interesting, and that means that we need to be able to talk to > the IKE daemon directly using a socket or something so we can have it > bring the tunnels up or down, and so that we can get status when a > tunnel dies or whatever. The last one is pretty critical, so that we > can notify the user that something has happened and that's why their VPN > is no longer working.
I have been working on adding enough support to configure an L2TP/IPsec connection remotely against a running strongswan pluto IKE daemon using strongswan's whack utility. It doesn't work quite yet and I'm debating, instead, to implement dbus support directly in pluto to support dynamic configuration. But this is an important time to say that if we were to have an openswan vs. strongswan debate, strongswan supports pkcs#11 API smartcards which means it can be used with OpenSC supported smartcards as well as gnome-keyring and openCryptoki (i.e. TPM chip). On the other hand, openswan only supports OpenSC supported smartcards which is a very strong limitation going forward. Dan, this is another part of networkmanager where in the future it will be important to support smartcards instead of certificates and keys on disk. Vincent, in your setup is there a strong reason you are using openswan instead of strongswan? Please share. Cheers, dds > > > _______________________________________________ > NetworkManager-list mailing list > [email protected] > http://mail.gnome.org/mailman/listinfo/networkmanager-list <#secure method=pgpmime mode=sign>
_______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
