[Openswan Users] re: Openswan Road warriors and Netscreen vpn
mlfreeswan at noci.xs4all.nl
Wed Jun 22 00:51:21 CEST 2005
On Tuesday 21 June 2005 19:37, Ric Stuebs wrote:
> We have a number of mobile users with linux laptops that would like to
> connect to our Netscreen 500 with OpenSwan. These particular users need to
> use PSK.
Are you sure you want to have mobile users using a PSK?
If one laptop gets compromised/stolen you need to change ALL PSK's ASAP.
that is because with a roaming profile you will use ONE profile for all remote
users. I'm not exactly sure if netscreen has a revocation list in that case a
certificate is musch safer, you just disable the certificate for the laptop
If you need a tool for manageing certificates maybe tinyCA might be of help.
My ipsec.conf goes along:
left=<My Ip Address>
leftsourceip=<Use my inside address for access to the gateway itself>
and the Key.... is in ipsec.secrets ....
On the netscreen you need (as the remote address is unknown 0.0.0.0 as the
remote address, and therefore you can only use one key for all connections.)
More information about the Users