[Openswan Users] RHEL guides
Paul Wouters
paul at xelerance.com
Mon Jun 6 18:19:59 CEST 2005
On Mon, 6 Jun 2005, Gavin Henry wrote:
> Would anyone of you kind soles recommend the use of:
>
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html
>
> and
>
> http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-net2net.html
The first exmaple uses PSK based ipsec connections, which we always recommend, regardless of the
software being used.
I find the following advise a bit ironic:
"To test the IPsec connection, run the tcpdump utility to
view the network packets being transfered between the hosts
(or networks) and verify that they are encrypted via IPsec."
Since with NETKEY, you can't reliably look at the data with tcpdump, since netkey hooks into
the networking stack past the point where tcpdump can look.
There are other reasons to choose openswan over racoon. Many more options, much better
regression testing of code, more active development, etc. An important case for scaling
is that to add a ipsec connection to racoon, you have to restart all of racoon, so all your
current IKE sessions are lost and need to be restarted (and they will hit you all at the
same time as a result of that).
Paul
More information about the Users
mailing list