On 03/27/2003 08:36 AM, bert hubert wrote:
Racoon is just an IKE daemon - Linux is not bound to it.
That's true. But until today there had been no
discussion on netdev of any userspace tools except
KAME, as far as google and I can tell. It seems
high time to begin such a discussion.
> You are free to write your own.
I think before I did that I would throw away all
the linux-2.5 built-in IPsec features and use
FreeS/WAN, which has a reasonably complete feature-set.
It's amusing that some people flame FreeS/WAN,
alleging "it's _not_ integrated, and this is a
major problem" ... and alleging that the linux-2.5
stuff solves this problem. Somehow I don't understand
how telling people to write their own key-exchange
daemon is the winning "integrated" solution.
> The OpenBSD one (isakpmd) also works under linux.
Folks who wish to pursue this option are encouraged
to look at
http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0582.html
which announces a port of isakmpd to linux-2.5,
available from
http://bender.thinknerd.de/~thomas/isakmpd-linux-2.5/
BSD IPsec in general and isakmpd in particular have
a better design and vastly better documentation than
KAME.
However, the existence of isakmpd does not answer all
questions about the completeness of the IPsec feature-
set.
For example, BSD provides an "enc0" device and documents
using it to implement network security rules. Alas I
see no sign that linux-2.5 provides this feature. If
I am overlooking something, please explain.
I ask again: Is there a document somewhere listing the
set of desirable features and the status thereof? Or
otherwise is there something to reassure would-be users
that a complete feature-set will be provided?
http://www.monmouth.com/~jsd/vpn/ipsec+routing/feature-list.htm
|