[Openswan Users] DSL modems in bridge mode and UDP fragmentat ion
Michael Richardson
mcr at sandelman.ottawa.on.ca
Sat Jan 3 23:49:53 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Tim" == Tim Bouwer <TBouwer at pfn.com> writes:
Tim> Thanks for your response.
>>> No, it isn't inevitable.
>>> It is only going to occur if you transmit the certificates. There is
Tim> very
>>> little reason to do that.
>>> Unless you have 1000 road warriors, I don't see a reason to do
>>> that. It just causes problems, like the one that you have.
Tim> We use x509 across the board for authentication of the Freeswan
Tim> gateways and for our roadwarriors and also as the basis for the
Tim> encryption in preference to preshared keys - it would be difficult
I never said use pre-shared keys.
I said, don't transmit the certificates. There is simply no point in doing
that, except for road-warriors where you have a policy of accepting any
certificate from a particular CA, *AND* you have no way to retrieve them
from, say an LDAP server.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP/ebb4qHRg3pndX9AQExugP+IL1jkMIbhp55QbohstaAq0g2HcYqLWNe
y/k9jwOVqmq1mcYQwXjDcuCqTLEtnMsgojcSkgOpYDsZQXHgxVYP2TptB4+d/yXh
RVyJk3nzUxmo4G+8OsqzLg2N22cYtEdZuUa68HusUyvzBxUP16KRd9HLLZT+fVkw
TRDd09RLvAY=
=qnlX
-----END PGP SIGNATURE-----
More information about the Users
mailing list