Re: l2tp as ipsra solution

[Daniel Fox <dfox@xxxxxxxxxxxxxxxxxxxx>]

Sara Bitan wrote:

> Yes, you are right the main problem here is not IKE. You want to achieve transparency. You
> don't want to download all the pre-shared secrets (or passwords) from a certain RADIUS/ACE
> or LDAP server to your IPsec device. Hence you cannot use the legacy authentication
> systems as a source for pre-shared secrets.

It's worse than that.  There are some authentication mechanisms (PAP with /etc/passwd) that do
not store the cleartext password (the pre-shared secret) on the server, but a one-way hash
encryption.  Therefore, there are some legacy secrets that cannot be downloaded to the IPSec
devices.  I think we need to keep in mind that one crucial piece of authentication
architecture is that the Authentication Server and the secret material for these legacy
systems may be on a device different from the IPSec device, *and* that the secret material may
not be in a format that IKE currently requires (cleartext).

Am I right in assuming that we need to treat the Authentication Server as separate and as a
black box in order to acheive "transparency"?

begin:vcard 
n:Fox;Daniel
tel;work:978-206-0405
x-mozilla-html:FALSE
url:http://www.ennovatenetworks.com
org:Ennovate Networks
adr:;;60 Codman Hill Road;Boxborough;MA;01719;USA
version:2.1
email;internet:dfox@xxxxxxxxxxxxxxxxxxxx
title:Principal Software Engineer
fn:Daniel Fox
end:vcard