[vpnc-devel] Working on certificate authentication ...
Hans-Werner Hilse
hilse at web.de
Thu Aug 10 15:47:51 CEST 2006
Hi,
On Thu, 10 Aug 2006 11:55:42 +0200 "Jonathan Schaeffer"
<joschaeffer at gmail.com> wrote:
> I just subscribed this ML in order to bring some help (if I'm able to)
> in the dev of vpnc, and I'm especially interested on certificate based
> authentication support.
You did take a look at ipsec-tools (http://ipsec-tools.sf.net/), didn't
you?
> Does someone work on this matter ? Is someone else insterested in the
> subject ? Are there some interesting starting point to understand how
> the protocol works ?
There are of course the IPsec RFCs. I would suggest using the
documentation that comes with above mentioned ipsec-tools as a starting
point.
> Maybe it's a bad idea to start on the project with this matter. If so,
> I would be happy to help on other matters as appetizer :)
I think the most important question is: Do we need certificate
authentication in vpnc?
> The previous mail from Dan talks about a Kernel IPSec patch. Has it
> something to do whith certificateauthentication ?
Most probably not by any means. The kernel can do AH/ESP encryption but
doesn't do key exchange at all, and this would be where certificates
come into play. Using kernel IPsec would degrade vpnc from a user space
IPsec implementation to a IKE daemon like ipsec-tools' racoon daemon. I
don't see much sense doing this, because there _is_ racoon. OTOH, vpnc
provides a user space IPsec implementation, which might be an
interesting thing to keep.
-hwh
More information about the vpnc-devel
mailing list