From: <ar...@na...> - 2008-10-22 19:42:59
|
Hi, Timo Teräs <tim...@ik...> writes: > Hi Emmanual, Yvan, Matthew, others, > > I'm facing a problem, that I need to have different remote{} options for > connections based on their identity: all are "road warrior" connections, but > have different identities (from certificate name). I like the idea. Which options do you think could be made available? > Now, I'm trying to figure out if to: > > 1) extend remote block syntax so that it can be selected based on identity > e.g. remote anonymous identity "xxx" {} > this would be tricky, since during identity exchange we could not figure > out the correct remote block in during exchange of initial messages, > but we probably need remote block to figure out which vendor extensions > to send out and which exchange modes to accept. we might need to allow > the exchange to proceed until identity is known and then figure out if > the connections is allowed. we might need to delay vendorid sending > too. yes. It's clear that you will only be able to make a limited number of things per-identity configurable, especially with long Phase 1 exchanges (6 message sig-authenticated Phase 1 versus 4 message Aggressive mode). For instance, AFAICT, 'proposal' block is out of the scope, isn't? > > 2) allow sub blocks inside remote e.g.: > remote anonoymous { > identity "xxx" { > } > } > this might end up generating a bit of extra code. but it would be clear > which config options can be actually set based on the identity. and would > make the configuration parser uglier if we want to keep backwards > compatibility. That seems like a good way to go. > Any other ideas? Preferences on implementation choice? nope. but if you need people to test things on IPv6/NAT-free networks, count on me ;-) Cheers, a+ |