[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec scalability?

To: <claes@griffel.se>, "Hakan Olsson" <ho@rfc.se>,"Daniel de Young" <daniel@velvetsea.com>
Subject: Re: ipsec scalability?
From: Mitja Muzenic <mitja@muzenic.net>
Date: Thu, 3 Jul 2003 10:00:44 +0200
Cc: <misc@openbsd.org>

> > For most situations, I imagine administering it will be the
> real problem.
> > (Ex. "we need to change tunnel 4321 to use 3des")
> Is there any scripts or programs to help in administrating VPNs
> on OpenBSD? A
> webbased solution would be nice.


I'm currently working on a series of scripts (together with a few guys from
Slovenia OBSD group)  to do this using preshared keys. It's meant to be a
part of my B.Sc. diploma thesis on deployment and management of complex VPN
systems using OBSD/isakmpd.

It's still in "hack" phase, but it's functional. No web interface, though.
Basically I have a central list of endpoints (either gateways or individual
hosts), from that a script generates the required isakmpd.conf files and
those go into secure distribution (via scp) to endpoints. At the endpoints
the new isakmpd.conf gets more or less smartly merged with the existing
isakmpd.conf (to preserve local isakmpd specifics) and isakmpd gets a -HUP.

As I said, it's still in an early phase. No pkg yet, some manual
installation required, currently supporting only peer to peer VPN topology,
no support for dynamic ip, may be hazardous to your
health/fattening/immoral. Eventually it will support some sort of ddns
infrastructure, dynamic ips, web based dns subdomain administration and
hopefully some other candy.

Currenty connecting together 6 LANs and managing 18 SA pairs. Any
configuration changes take effect in 1 minute max.

Regards, Mitja

References:
- Re: ipsec scalability?
  - From: claes@griffel.se

Prev by Date: Re: ipsec scalability?
Next by Date: Re: strange problem installing via http
Prev by thread: Re: ipsec scalability?
Next by thread: Re: ipsec scalability?
Index(es):
- Date
- Thread