<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=ISO-8859-15>
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>RSA keys is just fine for net-to-net, that's all I
use.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>I have at present 4 (and growing) offices with static
ip's, connected net-to-net in a mesh using RSA keys.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>RSA keys in net-to-net are the first example in the doc/
dir of the source tarball.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>Cert's also use RSA, but take a little more effort to setup
and maintain.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>The only advantage I can think of with certs over pure RSA
in a static net-to-net mesh,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>is that you can revoke certs if they become
insecure/broken/hacked... via the crl file.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>They also expire after a time, which could be good or bad
depending on your preferences.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=446140515-28022008><FONT face=Arial
color=#0000ff size=2>More maintenance, but slightly more security. Plain RSA is
good enough though.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Mueller,
Bernd<BR><B>Sent:</B> February 28, 2008 9:30 AM<BR><B>To:</B>
Users@openswan.org<BR><B>Subject:</B> [Openswan Users] VPN
Question<BR></FONT><BR></DIV>
<DIV></DIV><FONT face="Helvetica, Arial, sans-serif">Hello,<BR><BR>i ve got a
question concerning our vpn.<BR><BR>Right now we have got 6 station which have
to tunnel their network with each other.<BR><BR>So i got following
networks:<BR>172.16.0.0/16 - 172.21.0.0/16<BR><BR>Everybody should be able to
connect more or less to everywhere.<BR><BR>At the moment we use preshared rsa
keys in ipsec.secrets and the fingerprint of the keys as id.<BR><BR>What would
be the best possible solution to update this?<BR>Certs of
x.509?<BR><BR>Everything i am reading is about roadwarrior, but all i want is
net to net..<BR>Perhaps later i will add some laptops which will connect via
openvpn.<BR><BR>Bernd Mueller<BR></BLOCKQUOTE></FONT></BODY></HTML>