This chapter will describe how Openswan can encrypt more than just a few prearranged tunnels. It will discuss:
The concept of Opportunistic Encryption
Storing IPsec information in DNS
The different kinds of Opportunistic Encryption
Subnet protection using Opportunistic Encryption
Policy Groups for tuning Opportunistic Encryption
So far, we have used IPsec to secure communications between places and people we know. We have connected laptops, and branch offices, and secured some server-to-server and subnet-to-subnet connections. All these connections had one thing in common: we knew beforehand who we wanted to talk to, and we had some trusted method of communicating with the other side to set up our crypto arrangements. We exchanged a public key through email, used a phone call to verify the email was not tampered with, or used the PGP web of trust to verify the digital signature on the email. Or we were in control of both machines, and could transfer keys using...