Rino Mardo wrote: > hardware-based solutions seems ackward. you're talking about dongles or > pccard right? what about some passphrase like what gnupg does before > signing a message? This would indeed be a step in the right direction, but so far as I know (And I'm sure someone will correct me if I'm wrong) FreeS/WAN does not support this (Though it would be a trivial hack to write a wrapper). One of the gravest concerns when you're working with PSK's is that someone will get the private key from one of your Road Warriors. But only slightly less worrying is one of your employees enabling file sharing on their Internet adapter, perhaps for a home network, and then having a script-kiddie drop something as common as Wingate or something on the computer. In that scenario, a pass phrase wouldn't help. The connection is already established, and although the intruder doesn't have your private key, he can still piggy-back through your firewall. If you do take the software route, you should definitely make an effort to train your users to be prudent about the security of their machines (As much so as possible w/ Windows). It also might be a good idea to start treating your internal network as though it were externally accessible. - James -- All Lisa's .sigs are belong to me Somebody set up her the bomb.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature