On Tuesday 09 August 2005 03:32, Jeff Stevens wrote: > Anders, > > Our situations differ a bit, however I've found Debian's racoon package > to be quite useful. I just use it to encrypt all traffic between two > hosts that use NFS and XDMCP on my LAN. Who says NFS can't be secure in > transit? I also only use PSKs and haven't bothered with certs. > > When you install it, debconf will ask if you want to use racoon-tool. > I've only used racoon with the racoon-tool configuration file, which I > understand simplifies things. > > After installing, there are really only three steps: > > 1. Add your host/PSK entry to /etc/racoon/psk.txt > 2. Add a connection to /etc/racoon/racoon-tool.conf > 3. Restart /etc/init.d/racoon > > It's not perfect. The most annoying issue in my little setup is that > NFS doesn't mount immediately on boot. It seems it takes some time > (seconds) for the connection to become available and the first few > packets go nowhere. I think this is pointed out in the IPSec HOWTO. > > -Jeff Thank you for your answer. I will look into racoon-tool. Since I control all hosts in the setup I have in mind, it should be no problem to use preshared keys. In fact, I dd'ed from /dev/random to create the set, when I played with it. The one thing that bugs me, is, that the tunnel will bear a VLAN, but reside on the Internet (or any other insecure network); therefore the the laptop somehow has to identify itself as a part of the VLAN first, and a part of the insecure network second. That is a problem in my mind, as there will only be one physical interface involved: My laptop will not be a remote endpoint for a network -- just for itself. How do one accomplish to have the laptop's eth0 on a (potentially NAT'ed) Internet IP-address, while having it consider a gateway on the VLAN to be its primary route (or default gateway, as I believe it's called)? Anyway, I'll just let answers settle. Thank you again. Regards, Anders Breindahl.
Attachment:
pgp87iIfY3l86.pgp
Description: PGP signature