Hi Alan,
On 05/21/10 08:34 AM, Dan McDonald wrote:
On Thu, May 20, 2010 at 10:51:48PM -0700, Alan DuBoff wrote:
I know the punchin code is in Solaris, but it's not very useful without the
server/daemon portion to connect to.
It's actually not.
Punchin, that is, not IPsec/IKE, which is still very useful natively on
Solaris.
Can (Open)Solaris talk to any of these with it's IPSEC/IKE protocol?
As asked, the answer to this question is an emphatic "yes, of course!".
Our IKE doesn't contain the XAUTH and CFG extensions that you're probably
looking for. Also, our IKE was OEMed so it's in usr/closed/.
Maybe the question is implicitly about VPN support, but the question
was not specifically stated that way and this answer is going to really
confuse the archives, so I want to set the record straight.
The (OpenSolaris) IPsec/IKE protocol is completely interoperable with
all of these vendors and has been for years. The standard is
implemented and there are massive interoperable deployments in
production right now using Solaris as part of IPsec/IKE infrastructure,
talking to a heterogeneous array of clients. IPsec/IKE in Solaris is
very functional and the vast majority of customers currently want it for
infrastructure, not VPN.
The additional XAUTH and CFG extensions that Cisco invented for VPN
purposes and many implementations adopted (like racoon in linux, for
instance) is not implemented in Solaris, so the Cisco or Cisco-like VPN
connections are not possible.
So, what, specifically, are you doing in your infrastructure? If you're
just speaking IPsec/IKE in transport or tunnel mode, we should have no
problems interoperating. The internal punchin stuff you allude to is
just for user level interactive authentication and client network
configuration rewhacking. It's not clear to me from your message that
you need any of that. Please be clear on whether you are talking about
VPNs specifically or just IPsec/IKE because we might be able to help.
Thanks!
Paul
_______________________________________________
security-discuss mailing list
[email protected]
