Re: Bug#163904: ITP: isakmpd, an implementation of the ISAKMP protocol
in Oct, Noah L. Meyerhans probably wrote :
|On Thu, Oct 10, 2002 at 10:40:55AM +1000, Jean-Francois Dive wrote: >
|This software provide an implementation of the internet key exchange
|protocol. > The supported ipsec implementation is freeswan KLIPS and
|USAGI IPsec will nbe > added in a near future.
|So this software will perform the duties of the pluto software in the
|freeswan package? What are the advantages of using it?
Here are some things that pop into mind, perhaps someone can help me
throw any misunderstandings I have about pluto's capabilities.
1. Extensive debugging output
a. isakmpd can log decrypted packets to a binary log suitable
for parsing with ethereal. *very* useful when debugging
b. isakmpd has debug messages divided into 9 zones (like
message, crypto, policy, exchange, timer), each with
a separate verbosity knob.
2. *Extremely* RFC compliant, and nearly a complete implementation.
a. IPv4 & IPv6
3. Support for Keynote policies, and many phase one authentication
a. x509 (w/o patches)
b. Public key crypto (can include keynote credentials)
c. Passphrase / shared secret
4. Scalable. One of Ericsson's design requirements was tens of
thousands of associations (I think Hakan Olsson said they
had something like 25,000 running over loopback - this is
in the firstname.lastname@example.org archives)
5. Easily understood and built configuration files
6. Extensive documentation already in place (man pages, openbsd FAQ)
IIRC, near the time isakmpd was first released it worked with linux,
then KLIPS changed.
More qualitatively, having worked with both, I much prefer having to
examine and fix the inevitable problems getting ISAKMP peers to talk
to each other with isakmpd -- I find it much easier to use and