I haven't been keeping up with this list as much as I'd like, but just wanted to give you heads up I checked in OpenSCEP. It lets you load X.509 certificates into Cisco devices. I still need to go through a trial run with a new-in-box PIX, but I think the package encapsulates most of the weeks of struggle I've had with OpenSCEP bit-rot and messy installation getting this properly-configured VPN running. Most people use road warrior VPN's based on short XAuth passwords, and ``shared group authentication,'' which according to my rather hazy understanding means that any of the road warriors you have out there has enough information loaded into his client to impersonate your security gateway and act as a man in the middle, so he could intercept the VPN session of another employee staying in the same hotel or at the same conference, and then get the guy's XAuth password which is probably the same as his EnTee Domain Password, and then go read the other guy's email. Also passwords are too short, and people choose very poor ones, so the VPN is supposed to be an additional layer of security, not just a second identical password prompt. Really I think everyone should be using certificates, but I think many are not doing so largely because SCEP CA's are expensive and complicated. If that describes you, try my package! If you need to do this and want sample PIX 501 configs or a copy of my terse instructions for loading a certificate into Cisco's ``Unity'' Windows client using the OpenSSL Mini-CA that my package sets up, let me know privately. in files/ I also put a patch to the openldap package in the main source. I don't know the patch has much of a prayer of getting rolled into the main openldap package, but using my patch it is much faster to get a basic slapd running chroot, dropped-privs, and on a Unix-domain socket only. The problem with openscep is that it depends on a web server and LDAP, which is garbage you would maybe rather not run as part of a VPN project. If you are irritated by LDAP in general and have measured the code to be of rather suspicious quality, running it strictly on a Unix-domain socket and chroot is probably a good idea. Unfortunately the overall configuration still leaves the CA Key readable by the Apache user, so someone who exploits the web server as user 'web' has enough access to sign a certificate and thus get into your VPN. :(
Attachment:
pgpr9qan2ZyGa.pgp
Description: PGP signature