[Openswan Users] Many networks

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Feb 9 11:05:41 CET 2005 

On Wed, 2005-02-09 at 13:53 -0300, Thiago Lima wrote:
> 
> 	I'm using openswan ipsec-ipsec in some linux servers that are
> firewalls/gateways to small local networks.
> 
> 	I connect from my local network to those networks every time I need
> to manage another internal machine in those network. Then I use vnc or
> remotedesktop to connect to each machine.
> 
> 	In my setup right now I have one certificate for each
> connection/firewall and all my users here ( I have 4 technician ) uses the
> same certificate. I belive that is wrong and I want to change this behavior.
> I want every technician to have his own certificate and I would like to
> revoke then if needed.. 
> 
> 	I could just put every certificate in openswan configuration but
> that seens difficult to maintain.
> 
> 	Looking in the openswan site I've seen something about OCSP. Maybe
> that's what I'm looking for. 
> 
> 	Can any one help me ? Is that really what I need? There's any other
> way to centralize all certificates in one server and all others ask if the
> certificate is valid? 
> 
> 	I'm using kerberos to autenticate those users in ssh. I'm looking
> for something like that for the ipsec connection.
<snip>
If I understand you correctly, this would be similar to what we call our
GNOC setup where the various support personnel in our GNOCs use X.509
certs both the establish encrypted tunnels to the gateways that service
our multiple clients but also to identify the support person and control
the extent of their access.  We have some training slides on how we did
this.  I believe it is the end of the freeswan training slide show in
the training section of the ISCS web site (http://iscs.sourceforge.net).

If I recall correctly, the way we did this in the ISCS network security
management project was to allow any end user with a valid cert to
connect to the gateway.  We then used the exposed fields such as PEER_ID
to intercept the DER_ASN.1_DN and create dynamic iptables rules to
determine where tunneled traffic from that address could go.  I hope
this at least gives you some ideas.  Good luck - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Users mailing list