Larry Brown writes:
> I just wanted to chime in on this. FreeS/WAN is an IPSEC implementation
> that I've used a number of times and they stay up as long as the internet is
> up on both ends. From what I've read it is very strong encryption and you
> can feel pretty safe that everything is encrypted well. I have sniffed
> around the firewalls looking for anything useable and haven't ever found
> anything. It does require a kernel recompile though and it does take some
> effort for the install. I don't know if these others like cipe are as
> strong or not. ( I just don't know enough about them ) I do know that
> IPSEC is supposed to be one of the best. If you want to read about them
> they are at freeswan.org.
I've used FreeSWAN extensively and currently recommend against it to
my users unless they absolutely need IPSEC for some reason.
IPSEC is considerably more complex than most VPN technologies in ways
that are counter-intuitive. IPSEC tunnels are not just virtual wires,
they also include access controls. For example, consider:
net1 --- gateway1 -- {internet} -- gateway2 --- net2 --- net3
A FreeSWAN tunnel between gateway1 and gateway2 can allow net1 and
net2 to talk to each other, but that same tunnel will not allow net1
and net3 to talk to each other. Communication between net1 and net3
would require an additional tunnel. In fact, full connectivity for
this case would require 6 tunnels:
1. net1 <--> net2
2. net1 <--> gateway2
3. net1 <--> net3
4. gateway1 <--> net2
5. gateway1 <--> gateway2
6. gateway1 <--> net3
IPSEC has other complexities too. They are useful when you need them,
but they easily get in the rway when you don't.
--
Dick St.Peters, [EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
