[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#163904: ITP: isakmpd, an implementation of the ISAKMP protocol

in Oct, Noah L. Meyerhans probably wrote :

|On Thu, Oct 10, 2002 at 10:40:55AM +1000, Jean-Francois Dive wrote: >
|This software provide an implementation of the internet key exchange
|protocol. > The supported ipsec implementation is freeswan KLIPS and
|USAGI IPsec will nbe > added in a near future.
|So this software will perform the duties of the pluto software in the
|freeswan package?  What are the advantages of using it?

  Here are some things that pop into mind, perhaps someone can help me
  throw any misunderstandings I have about pluto's capabilities.

  1. Extensive debugging output
	a. isakmpd can log decrypted packets to a binary log suitable
		for parsing with ethereal. *very* useful when debugging
		inter-operability issues.
	b. isakmpd has debug messages divided into 9 zones (like
		message, crypto, policy, exchange, timer), each with
		a separate verbosity knob.

  2. *Extremely* RFC compliant, and nearly a complete implementation.
	a. IPv4 & IPv6
  3. Support for Keynote policies, and many phase one authentication
	a. x509 (w/o patches)
	b. Public key crypto (can include keynote credentials)
	c. Passphrase / shared secret
  4. Scalable. One of Ericsson's design requirements was tens of
     thousands of associations (I think Hakan Olsson said they
     had something like 25,000 running over loopback - this is
     in the tech@openbsd.org archives)
  5. Easily understood and built configuration files
  6. Extensive documentation already in place (man pages, openbsd FAQ)

  IIRC, near the time isakmpd was first released it worked with linux,
  then KLIPS changed.

  More qualitatively, having worked with both, I much prefer having to
  examine and fix the inevitable problems getting ISAKMP peers to talk
  to each other with isakmpd -- I find it much easier to use and


Reply to: