[Openswan Users] tunnel using XAUTH client mode to Cisco 3000 series

Michael Richardson mcr at sandelman.ottawa.on.ca
Sat Jul 10 12:37:21 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "David" == David Edmondson <dme at dme.org> writes:
    >> If you use RSA authentication, this whole nonsense goes away.
    >> Since RSA authentication is FAR BETTER than username/password,
    >> and it also scales better, I'd recommend it. If you need a
    >> physical token as well, you can combine RSA+XAUTH, but this is
    >> less commonly done.

    David> It seems that it would be necessary to have RSA keys per-user
    David> rather than a common set, or the same problem would result.
    David> Is this correct?

  Yes, that's correct. 
  That's the way things are supposed to work.
  
    >> If you are happy with a client-only, single-session system, use
    >> 'vpnc'. The reports are that it works, is simple enough and needs
    >> no kernel components.

    David> vpnc works well enough, but the need to re-authenticate every
    David> eight hours is deeply frustrating, especially if one has an
    David> active task that cannot complete in that time.

  That's nothing to do with vpnc. That's to do with the fact that your
gateway wants to re-negotiate every 8 hours.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQPANL4qHRg3pndX9AQGXggP5ATLF3s+Gd+Zus9DXq5TEjTA+TgosuPBF
nRegizuAAadrfKj1lDGFv7NdekJ/dkmXyudUngOyvoA5vqO+c8suIU231NBFYrTZ
cHGHy90CKEXEBQkicyG+kyaA0YhTg/1Gl6VnEdgP3C4MOJzb30Jdq2lyVt/HDifN
+N/NPr30P5U=
=ebzO
-----END PGP SIGNATURE-----


More information about the Users mailing list