[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec on 2.4.2/IPv4
- To: Happy Linux Campers <linux-il(at-nospam)linux.org.il>
- Subject: Re: IPSec on 2.4.2/IPv4
- From: Miki Shapiro <aris(at-nospam)pharoe.com>
- Date: Sun, 20 May 2001 14:52:50 +0300 (IDT)
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <20010520131502.A1393@pollux.galanet.net>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
On Sun, 20 May 2001, Ilya Konstantinov wrote:
> AFAIK, there isn't such thing as "suggesting".
Win2K allows you, if you're the client, to "ask" the server to use IPSec,
yet fall back to not using it if it refuses. Alternatively, if you're a
paranoid sysadmin with suicidal tendencies and a policy manager, it also
allows you to only agree to let a client application open a connection if
it uses IPSec (if it doesn't, the socket won't let it out at all).
On the receiving side (server application), it's not as flexible,
allowing you to either use, or not use IPSec, but not "suggest" to
the client, or "use, yet fall back to not using it if the client doesn't
know what IPsec is".
I assume that the Linux implementation of IPSec is no less powerful than
microsoft's one.
Having just realized this, the more correct question then would be:
Can I ask my linux box (with this kernel patch) to only use IPSec for
communication on pre-designated TCP ports? (and have other services such
as DNS and SMTP go on working without using IPSec?)
Thx.
---= Miki Shapiro =------------------
---= Cell: (+972)-56-322433 =--------
---= ICQ: 3EE853 =-------------------
---= Windows Programmer in Rehab =---
-------------------------------------
"If at first you don't succeed...
.. Skydiving is probbably not for you."
On Sun, 20 May 2001, Ilya Konstantinov wrote:
> On Sun, May 20, 2001 at 12:59:43PM +0300, Miki Shapiro wrote:
> > Another Q:
> >
> > I want my box to suggest (yet not require) IPSec over my IPv4 connection,
> > especially for incoming sessions.
>
> AFAIK, there isn't such thing as "suggesting". Using IPSec is basically
> establishing a VPN tunnel with you (and possibly with your whole
> subnet, if you wish to expose it). First, the hosts handshake and
> exchange keys on port 500, then they can talk. For now, establishing
> such a connection is a thing one does on purpose -- the kernel doesn't
> automagically check if the other host has IPSec open.
>
> > I have a custom-tailored 2.4.2 as it is, and I didn't find IPSec support
> > in the config menu. I either missed something or...
>
> No, IPSec isn't merged in, but is available from a project called
> FreeS/WAN. http://www.freeswan.org
>
> > Can anyone point it out to me?
> > (I also really hope it's available as a module, I don't want to reset my
> > uptime ... :-))
>
> I'm afraid you'll need to patch the kernel and restart.
>
> --
> Best regards,
> Ilya Konstantinov
>
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il