[Openswan Users] re: Openswan Road warriors and Netscreen vpn
Nico Baggus
mlfreeswan at noci.xs4all.nl
Wed Jun 22 00:51:21 CEST 2005
On Tuesday 21 June 2005 19:37, Ric Stuebs wrote:
> We have a number of mobile users with linux laptops that would like to
> connect to our Netscreen 500 with OpenSwan. These particular users need to
> use PSK.
Are you sure you want to have mobile users using a PSK?
If one laptop gets compromised/stolen you need to change ALL PSK's ASAP.
that is because with a roaming profile you will use ONE profile for all remote
users. I'm not exactly sure if netscreen has a revocation list in that case a
certificate is musch safer, you just disable the certificate for the laptop
in question.
If you need a tool for manageing certificates maybe tinyCA might be of help.
Kind regards,
Nico Baggus
My ipsec.conf goes along:
conn to_netscreen
keyingtries=3
auto=start
authby=secret
pfs=yes
keylife=3600
left=<My Ip Address>
leftsourceip=<Use my inside address for access to the gateway itself>
leftsubnet=<MyLocalNetwork>
right=<NetsscreenIP>
rightsubnet=10.0.0.0/8
leftnexthop=<Mydefaultgw>
and the Key.... is in ipsec.secrets ....
On the netscreen you need (as the remote address is unknown 0.0.0.0 as the
remote address, and therefore you can only use one key for all connections.)
More information about the Users
mailing list