Unless there's been some recent development I haven't heard of, incorporating user authentication (like e.g. SecurID) into IPSec remains an open research problem. Any solution that's in use today is a special one-off ad-hoc hack. Such a hack is easy to make.
If I needed to cook one, I'd rig a CGI that did the SecurID auth, then enabled that user in the FreeS/WAN config, then scheduled a job to yank that user back out (preventing new logins) after a few minutes. I believe you can enable/disable users without disrupting existing security associations by just frobbing the auth data, but I haven't tried it. Instead of a CGI, you could do this with an ssh login, or whatever other protocol you like. -Bennett
msg00246/pgp00000.pgp
Description: PGP signature
