From: Harry G. <ha...@hg...> - 2005-11-30 07:51:14
|
At 12:11 PM +0100 11/29/05, Franck Bourdonnec wrote: >Le Mardi 29 Novembre 2005 00:29, Charles Trevor a écrit : >> On Mon, 2005-11-28 at 14:54 -0800, Harry Goldschmitt wrote: >> > I've just started to define VPNs using 1.4.10 and certificates. Some >> > of the documentation says that one side must be defined as left and >> > the other as right on the web pages. Looking at >> > /var/ipcop/vpn/ipsec.conf, it seems like this is not the case. The >> > requirement for left and right seems to be a hold over from earlier >> > releases when portions of the config file were exchanged to set up >> > the VPNs. These days it seems like we could use left as local and >> > right as remote, or whatever. Am I missing anything? >> > >> > Harry > > > >>From IPSEC.CONF > >To avoid trivial editing of the configuration file to suit it to each system >involved in a connection, connection specifications are written in terms of >left and right participants, rather than in terms of local and remote. Which >participant is considered left or right is arbitrary; IPsec figures out which >one it is being run on based on internal information. This permits using >identical connection specifications on both ends. There are cases where there >is no symmetry; a good convention is to use left for the local side and right >for the remote side (the first letters are a good mnemonic). > >But in IPCop vpnmain.cgi, it is not symetric... No comment in the source so >not easy to guess what difference it provides and WHY !!! > >Franck I think I didn't express myself clearly. First I wanted to confirm that left and right don't matter. I also wanted to try to correctly describe what happens when defining an IPCop net-to-net VPN. Some of the descriptions on the net state that the left/right descriptions must be consistent on each side of the connection. In other words, if you pick left for one side of the VPN, the other side MUST be defined as right. Finally, I wanted to propose that we drop the left/right drop down on the VPN page or at the very least move it to the advanced settings page. It really doesn't matter these days. The fewer choices folks have to make the easier it is to create VPNs. Harry |