>I'm using FreeBSD with kame IPsec for a VPN installation for video
>conferencing in medicine. First thing I like to say is a big thank
>you for all this excellent work that the KAME people have been doing.
thanks!
>Now I have a little question: what is the isakmpd that exists in
>OpenBSD but not in Free and Net BSD? Is OpenBSD not using Kame?
>Is isakmpd a replacement for racoon?
isakmpd and racoon are independent implementations of IKE (Internet Key
Exchange) protocol.
racoon is from KAME guys, isakmpd is from OpenBSD guys.
racoon and isakmpd interoperates just fine if you configure them right.
actually, you can run isakmpd just fine on FreeBSD and NetBSD
(with KAME IPsec). on NetBSD, there's pkgsrc/security/isakmpd
which you may want to test.
>Next a suggestion. In practice I will almost always end up combining
>IPFW and IPsec in my security solutions with *BSD/kame. And I find
>it kind of odd that IPFW and IPsec shouldn't work together better
>than they do now. It is not that they interfere, since I did notice
>that IPsec policies for incoming packets seem to be applied after the
>IPFW filtering and for outgoing packets it is probably before and after.
>(I noticed that only the outgoing permit rule for protocol 50 (ESP) is
>used, but never the incoming rule.)
this is the tricky part. IPsec policy and ipfw/ipfilter/divert/
whatever is doing almost the same thing, and conflict in very difficult
ways. I'm trying to improve NetBSD situation, as shown in
http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction.
NetBSD 1.5.1/1.6 should be a lot better than before.
for FreeBSD, there was a discussion on one of FreeBSD mailing lists.
not sure the particular change got committed to the FreeBSD tree or not.
the ultimate solution would be to integrate packet filter and ipsec
policy engine into one, there's an ongoing effort on that direction.
my current recomendation is to avoid using ipfw/ipfilter/divert with
IPsec. use them in separate boxes, or use IPsec filter rules
for packet filter (using "discard" policy).
itojun
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
