Contributed by jose on from the standards-compliant dept.
" OpenBSD FAQ #13 is NOT the end all and be all of how to program an OpenBSD VPN! The FAQ does a good job of explaining two methods, but doesn't mention a far better third alternative. The first method, shared secret passphrases, is good for testing a VPN on two nodes. It doesn't securely scale well at all on three or more nodes because if you break into one site, you have broken into them all. The second method, X509 digital certificates, relies on a centralized PKI to do its work. This may mean paying companies like Verisign to support an infrastructure that has its own flaws. For more information on this point, read chapter 15 of "Secrets and Lies" by Bruce Schneier. The third alternative is called KeyNote, which is a decentralized trust management system. The primary documents that define KeyNote are RFC2704 and RFC2796. The web pages of some of the authors of the RFC papers are below:I have always wanted to look at setting up Keynote, now I have some good reasons and resources.
To implement a KeyNote VPN, read the man pages of these entries: keynote, isakmpd, isakmpd.conf, isakmpd.policy, ipsec, ipsecadm, vpn. Also, read the academic papers linked from the sites above. They contain example code, observations, and notes of possible future use of KeyNote. Has anyone else out there successfully programmed a KeyNote VPN like me?"
(Comments are closed)