Subject: Re: filtering a bridge
To: None <>
From: Wolfgang Rupprecht <>
List: current-users
Date: 02/09/2002 15:08:27
Paul Dokas writes:
> Sure, I can see this being the same bug.  The only thing that leaves a doubt
> for me is that you don't mention a panic.  This bug has always been accompanied
> by a panic for me.

The system simply stopped responding.  I don't know if the kernel
dropped me into DDB or not.  I was running X and wscons.  All I know
that the monitor claimed 'no sync'.  Come to think of it I should
probably just do a: 

	sysctl -w 'ddb.onpanic=0'

> Actually I've *far* from given up with IPSec.  On the contrary, for static
> point to point links, tunnels and very limited mobile use, I've found it
> extremely useful.  The hardest thing about it for me was simply figuring
> out all of it's features and figuring out how to make racoon/isakmpd work
> properly.  Especially when using certificates to authenticate endpoints.

Just wading through all the ipsec FAQs and hints on line took me quite
a while.  I was starting to figure out about the x509 stuff but got
too distracted by examples that opened up more questions than they
answered.  Here is one that sticks in my mind:

    # example policy file
    keynote-version: 2
    comment: This is an example of a policy delegating to a key.
    authorizer: "POLICY"
    licensees: "DN:\C=se\CN=IKELAB CA"
    conditions: app_domain == "IPsec policy" &&
		esp_present == "yes" &&
		esp_enc_alg == "aes" &&
		(remote_id == ""  ||
		 remote_id == ""  ||
		 remote_id == "") -> "true";

Would this example let anyone in that created their own certificate
for a DN of "/C=se/CN=IKELAB CA/" and tricked the remote isakmpd into
loading it?  (Q: how are certificates sent to the remote isakmpd?  Can
one simply append a CA to a normal certificate and have the remote
daemon put both in its database)?

Wolfgang Rupprecht    <>
Coming soon: GPS mapping tools for Open Systems.