-----BEGIN PGP SIGNED MESSAGE-----
Hi Joel,
Your project sounds interesting. A couple of comments:
> > > 2) How do I get access to keys I'll need to pass to
> > > my hardware?
> >
> > You will have to create/read them (from DNS/etc). The docs/howtos
> > are your friends.
I think this person was thinking of it from a user's perspective, rather
than a hacker's perspective. You are not the first to try hardware
assisted FreeS/WAN. One project I know about is here; there may be
others:
http://sources.colubris.com/en/projects/FreeSWAN/
> I agree about the docs. Thus far they still look more like a refresher
> course than they do "Intro to IPSec". I'll need to modify the code so
> it can dump the keys into my hardware directly.
Thank you for your feedback on the docs.
We have a lot of docs, so we may have something that better suits
your needs but that you haven't tripped across yet. For more general
information try:
doc/intro.html Our Introduction
doc/ipsec.html IPsec protocol information
You might also find this useful:
doc/roadmap.html What's where in Linux FreeS/WAN
doc/web.html Web Links
Some of these documents may require updating, but they should
still be able to give you a general idea about the topics they cover.
> > > 3) The docs for rev 2.01 say you need BIND v9. Is this
> > > anywhere on the network or on the local box? Lots of
> > > embedded systems don't run bind.
> >
> > Most definitely! DJB's 'tinydns' perhaps. Once more, the docs/howtos
> > are a good place to start.
> >
> >From this I gather it means I need dns on my box.
DNS is only required if you're doing key distribution via DNS.
Opportunistic Encryption is the main use of key distribution via DNS,
but you can also do custom configurations where the keys are fetched
from DNS.
> > > 4) Do you need a config file entry for each host involved
> > > in key exchange.
Yes and no. Using the 1.x-style ipsec.conf entries, you generally need
one entry for each peer FreeS/WAN (or other IPsec implementation).
There is a shorthand notation ("also=") that can condense repetition
in the config files. Please note that although we offer a lot of
config file levers, the defaults are fairly sensible, and in many
cases each entry can be fairly short.
You may also wish to use Policy Groups to reduce the amount of
configuration needed (see doc/policygroups.html). However, this *is*
designed for use with OE (and key distribution via DNS).
> The config will have some boxes in the same room. Some in the same
> complex of buildings and some scattered around the country. I suppose
> there will be firewalls and NAT in between.
Where NAT is in between, you will need Super FreeS/WAN with NAT
traversal. NAT also throws a monkey wrench into using OE, though I
think I've heard that you can run initiator-only OE
(ref: doc/quickstart.html, doc/glossary.html#iOE) from behind NAT.
Cheers,
Claudia Schmeing
FreeS/WAN Documentation
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPzkrfnDIYXPDEHodAQFjHQP9F65zKBsC7pwKezfHhEZ3fLwPTQ353Aaw
93ZA7tVRcnGNo3On4rvILaIIrDE4Ey6kdWYY4DH9JIzHMNgTYVZ+DTvwcBQ3YxlN
heWJBHL2ir9859tJ4sjV2vH2Sdqx9x6xPX4bUzxTFistJq4wTsDEOhsqDdlsoB1/
dgQh+Bpg+Lg=
=wH+K
-----END PGP SIGNATURE-----
_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
