[vpn] certificates
Sandy Harris
sandy at storm.ca
Thu Mar 28 16:52:39 EST 2002
"meiremania.com" wrote:
>
> Hello all,
>
> I'm implementing a vpn-soluition for about 40 users so they could play road
> warrior from home. I'm testing Freeswan at the moment
AT&T Research do this for several 100 users, with a dedicated
company-supplied gateway (which they call a "moat") added to each
home network. They just use raw RSA keys. See the "Moats" paper at:
http://www.quintillion.com/fdis/moat/
> but I'm still in doubt
> on which authentication mechanism to use. Somebody advised x.509
> certificates to me, but I'm still not sure. What does interestme most is to
> reduce the user-management for the sysadmin, so I wonder what are all the
> pro's and contra's of the different authentication methods.
I'd say just using raw RSA keys is clearly simpler if you have
FreeS/WAN on both ends. X.509 is a patch, not part of the standard
FreeS/WAN distribution, and it's not clear that it buys you a lot.
On the other hand, you might want the X.509 stuff if you have a
corporate PKI using X.509 certs in play, or if you need to
interoperate with some other IPsec that uses certs.
Also, you may not need to patch if you're using some Linux like
SuSE that ships with FreeS/WAN and the X.509 patch included.
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list