> How do you do it right? Use a certificate on both ends, and do real > RFC2409-style authentication. You can still have dynamic IP addresses.
This is by far the best supported authentication technique. Unfortunately, there are lots of problems with certificate interoperability, so that trying to "mix and match" one vendor's CA with another vendor's VPN server and client can be a frustrating experience. And of course, if you're trying to provision the client with a certificate before they've authenticated to the wireless network, then you've got a chicken and egg problem. That's why, despite years of work, most customers I talk to still are using pre-shared keys, and of those, the "group pre-shared key" approach is shockingly common. Yes, it's outside RFC 2409, shunned by knowledgeable people everywhere, not spoken of above a whisper in the IETF -- a veritable red light distrinct in IPsecVille. > The bottom line is that some vendors sell crap. It is not enough to just > buy an "IPsec device" or a product that "supports 802.1X/EAP". Look > under the hood, kick some tires, ask some questions before you buy. And that applies to the other components of the solution, too: certificate servers, directories, authentication servers, etc. It's quite a task to accomplish the requisite tire-kicking (given the number of tires to kick). -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
