IPSec in Fedora Linux vs Cisco IOS ?
From: Tim Nguyen (tvn104_at_hotmail.com)
Date: 10/24/04
- Next message: Santa: "How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
- Previous message: Menno Duursma: "[long] Re: My way of securing my server... Any ideas?"
- Next in thread: Kimmo Koivisto: "Re: IPSec in Fedora Linux vs Cisco IOS ?"
- Reply: Kimmo Koivisto: "Re: IPSec in Fedora Linux vs Cisco IOS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Oct 2004 13:11:34 -0400
Hello,
I need to replace Cisco routers with Linux boxes and run into the following
problem with IPsec.
In Cisco IOS, to specify the packets to be protected under one SA, I can
write an arbitrary number of statements (which specify the packets in terms
of addresses, protocols, ports, etc.) and put all these statements in one
single
access list. This access list is pointed to in a crypto map subset,
which corresponds to one single SA. In other words Cisco IOS allows me to
put arbitrarily different packet flows under one single SA, i.e. in one
single IPSec tunnel (assuming the tunnel mode is being used).
In Linux Fedora I tried IPSec with racoon and found out that there's a lot
of restriction in specifying the packets to be put under one single SA. Both
commands spdadd (in ipsec.conf) and sainfo (in racoon.conf) accept only host
addresses or subnet addresses. On top of that these commands do not accept a
list of statements which specify the packet flows to be protected. As a
result the packets which can be put under one single SA must share the same
host (either source or destination) or the same subnet (either source or
destination). I cannot put, say, traffic from subnet A to B and from subnet
C to D into the same tunnel (again assuming tunnel mode is in use), even
though they all pass through the same network link to which I need to apply
IPsec. I know raccoon has the keyword "anonymous" but it's too broad, while
the other option (specifying addresses) is too limited. What I need is the
kind of flexibility available in Cisco IOS.
If you have any suggestion please let me hear about it. If there's any
commercial solution you know about then please let me know. Thank you for
your patience in reading this post.
Regards,
Tim
- Next message: Santa: "How can I drop "Source Quench, Redirect, Time stamp and Time stamp reply" ICMP packets"
- Previous message: Menno Duursma: "[long] Re: My way of securing my server... Any ideas?"
- Next in thread: Kimmo Koivisto: "Re: IPSec in Fedora Linux vs Cisco IOS ?"
- Reply: Kimmo Koivisto: "Re: IPSec in Fedora Linux vs Cisco IOS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
