If you are using Win2K clients, Chad has put up a good chapter. It would do good to understand what exactly it does. I then used Marcus Mueller's IPSec utility. It uses a freeswan ipsec.conf file and allows you to define the policies using IP assigned by your ISP to your interface by acquiring it from the RAS subsystem dynamically. Chad's method assumes you know the IP because M$ also assumes so.
Marcus' utility allows you to choose RAS or LAN for IPSec or auto - whichever is UP making it ideal for user who use it from an office via LAN and dial up when outside office. Marcus' site http://vpn.ebootis.de HTH Mohan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mike Leone Sent: 10 February 2003 09:27 To: 'LEAF ML' Subject: Re: [leaf-user] Bering w/IPSec troubles - no fswcert command in Debian? S Mohan ([EMAIL PROTECTED]) had this to say on 02/09/03 at 21:18: > You do not need fswcert for Freeswan 1.96 upwards. In the ipsec.secrets > file, you can give the name of the pem file itself. Freeswan will > "automagically" discover the format of the key and extract it at > startup. Good to know. :-) Meanwhile, I did find a copy of the fswcert program in an old downloads directory. > Your ipsec gateway's certificate should be stored in the > /etc/ipsec.d/private directory (in either der or pem format) and be > referenced in ipsec.secrets by filename with an optional passphrase as > under: > > : RSA <certificate file name> <passphrase> > > The : RSA must start at the left margin. The file MUST have no more than > 700 permissions and be owned by root to be secure. > > It works. I've tried this. I will try that, thanks. The example /etc/ipsec.secrets file has a format like this: : RSA { # -- Create your own RSA key with "ipsec rsasigkey" } Should I just include the filename and passphrase starting at the point of that has mark? I'm trying to start small, and just connect to the Pix at work. Ideally, I'd like a subnet-to-subnet connection (we use pre-shared keys, 3DES-level), so that the office will be transparently available to me, regardless of what machine I am using on my home LAN (Win2K, Linux, etc). Later, I'll see if I can do it via certs. Then work the other way, and connect from work to home LAN, using certs. That's the game plan, anyway. :-) ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
