[VPN] Re: VPN config question (fwd)
Dana J. Dawson
djdawso at qwest.com
Mon Sep 9 11:19:27 EDT 2002
In my mind, the primary benefit of XML would be having a universal format for specifying *ALL* the parameters available for configuring IPSec VPN's. Different vendors use different default values for some of these parameters, such D-H Group 1 or Group 2 for example, and it's not always easy to determine what those defaults are, but it is usually necessary. Being able to dump the complete set of parameters (with the
possible exception of any pre-shared keys) for one vendor's config in a common format would go a long way to making this problem go away. Since many products already support a mechanism of exporting and importing the device config to and from some sort of external file (frequently a text file), making XML an option doesn't seem to me to reduce security in any way. The configuration would still be a human-driven
process, just as it is now. I don't think anyone is advocating an automatic blind installation of someone else's config, but rather a means of accurately importing the complete set of IPSec parameters from one device into another device.
For what it's worth, Cisco already supports the export and import of the complete configuration of their 3000 series VPN concentrators in XML format. The option to do the same thing, but for just the IPsec part and with a standard set of XML variable names (or whatever they're called) would, I think, be a relatively simple feature to add.
That's my impression at least, but perhaps I didn't read enough into the original post.
Dana J. Dawson djdawso at qwest.com
Senior Staff Engineer CCIE #1937
Qwest Communications (612) 664-3364
600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX)
Minneapolis MN 55413-2620
"Hard is where the money is."
TKoopman at SonicWALL.com wrote:
> Well, time for me to pitch in.
> 1) I'd be a little concerned about security of the policy if I could throw XML files around to configure local and remote VPN and/or firewall devices. But I am by no means an expert in this XML area so I could be jumping at shadows. And you could always require something like a signed certificate or other strong authentication mechanism first.
> 2) Some way to configure one end and then pour it into the other end so it configures automagically. This seems to be what I understand as the underlying request.
> SonicWALL and most of the VPN vendors already have this capability if you use their vendor specific management application. And the management applications are generally easier to use, with point and click features, than writing scripts. But this is vendor specific and not platform generic.
> As for an XML standard methodology across vendors and platforms ... well, we all have enough trouble maintaining "simple" ipsec compatibility, let alone what you are talking about!
> 3) And lastly, on the XML scripting capabilities of the SonicWALL Global Management System. They have been improved with the latest release that started shipping last week. The first release of the XML scripting capabilities was very task specific and limited to a few functions. This has been expanded to include all currently configurable parameters (until we come out with the new new thing in a few months).
> Any questions or comments, feel free to contact me.
> Todd Koopman
> toddk at sonicwall.com
More information about the VPN