Why KAME/racoon sucks (was: OpenSWAN ANNOUCEMENT)
Pekka Savola
pekkas at netcore.fi
Sun Jan 4 07:36:45 UTC 2004
On Sat, 3 Jan 2004, Dax Kelson wrote:
> As a user and an administrator of variety of production systems IKE
> daemons ranging from KAME/racoon, isakmpd, Solaris 8/9 IKE, FreeSWAN,
> and SuperFreeSWAN, I can comment that I've found all but SuperFreeSWAN
> sorely lacking.
There are more dimensions to this debate than just the number of
features.
> c) Virtual-IP support for persistent inner IP address in ESP packets.
> This allows no-headache IPsec through non-brain dead NATing
> routers/firewalls without resorting to the following.
>
> d) NAT-T (ala ESP-over-UDP) for IPsec through brain dead NATing
> routers/firewalls.
Are you aware that these are covered by multiple IPR claims?
> g) XAUTH support (authenticate VPN users/tunnels via PAM)
This is dangerous, and has been rejected in the IETF for
standardization. Why again should this be done then? If you want to
authenticate users/tunnels via PAM, can't this be done by creating a
PAM module interfacing IKE?
Also look at Bugtraq thread:
http://marc.theaimsgroup.com/?l=bugtraq&m=107124772803447&w=2
> h) DHCP over IPSec
That's already supported, I guess. What you're saying is maybe
"DHCP-over-IKE"? I believe that has also been rejected at the IETF,
but not sure.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-devel-list
mailing list