keeping people off the net

Jim Carter jimc at math.ucla.edu
Wed Feb 5 04:29:42 EST 2003


On Sun, 2 Feb 2003, Brett Lymn wrote:
> On Fri, Jan 31, 2003 at 05:34:04PM +1100, Alex Satrapa wrote:
> > In that suggestion, I had avoided using IPSec because of the complexity
> > ...
>
> Errr IPSec is complex?  I had it up and running in about 5 minutes
> flat using preshared keys by following this...

I found FreeS/WAN for Linux (http://www.freeswan.org/) (IPSec, RFC 2401) to
be fairly tractable.  I'm using X.509 authentication of clients, which
needs a patch.  It helped that I already had the certificate authority set
up for another purpose.  But a big fly in the ointment is that FreeS/WAN
can't stand nonunique IP addresses on clients, such as 192.168.0.1, very
commonly assigned by commercial residential gateway products, nor does
ISAKMP work through NAT (as implemented by them).

So FreeS/WAN is fine for transmission on wireless from your laptop to your
home Linux router-server, or from the server to the terminus at work, or
both in series, but a single hop through a purchased NAT box isn't going to
happen.

I've mentioned this problem on the FreeS/WAN mailing list.  If you care --
send those cards and letters.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc at math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)



More information about the wireless mailing list