Re: [Ipsec-tools-devel] per-identity remote options

[<ar...@na...>]

Hi,

Timo Teräs <tim...@ik...> writes:

> Hi Emmanual, Yvan, Matthew, others,
>
> I'm facing a problem, that I need to have different remote{} options for
> connections based on their identity: all are "road warrior" connections, but
> have different identities (from certificate name).

I like the idea. Which options do you think could be made available?

> Now, I'm trying to figure out if to:
>
> 1) extend remote block syntax so that it can be selected based on identity
>    e.g. remote anonymous identity "xxx" {}
>    this would be tricky, since during identity exchange we could not figure
>    out the correct remote block in during exchange of initial messages,
>    but we probably need remote block to figure out which vendor extensions
>    to send out and which exchange modes to accept. we might need to allow
>    the exchange to proceed until identity is known and then figure out if
>    the connections is allowed. we might need to delay vendorid sending
>    too.

yes.

It's clear that you will only be able to make a limited number of things
per-identity configurable, especially with long Phase 1 exchanges (6
message sig-authenticated Phase 1 versus 4 message Aggressive mode). For
instance, AFAICT, 'proposal' block is out of the scope, isn't?

>
> 2) allow sub blocks inside remote e.g.:
>    remote anonoymous {
> 	identity "xxx" {
> 	}
>    }
>    this might end up generating a bit of extra code. but it would be clear
>    which config options can be actually set based on the identity. and would
>    make the configuration parser uglier if we want to keep backwards
>    compatibility.

That seems like a good way to go. 

> Any other ideas? Preferences on implementation choice?

nope. but if you need people to test things on IPv6/NAT-free networks,
count on me ;-)

Cheers,

a+