| 1 |
On Sunday 12 May 2013 03:37:48 Nick Khamis wrote: |
| 2 |
> Thanks yet again Michael! Enjoy your weekend. |
| 3 |
> |
| 4 |
> N. |
| 5 |
> |
| 6 |
> On 5/11/13, Michael Mol <mikemol@×××××.com> wrote: |
| 7 |
> > On 05/11/2013 03:13 PM, Nick Khamis wrote: |
| 8 |
> >> Hello Everyone, |
| 9 |
> >> |
| 10 |
> >> Our service provider requires all connections between us be done |
| 11 |
> >> through IPSec IKE. From the little bit of research, I found that this |
| 12 |
> >> is achieved using a system with IPSec kernel modules enabled, along |
| 13 |
> >> with cryptography modules. On the application level, I saw ipsec tool, |
| 14 |
> >> OpenSWAN, and OpenVPN. |
| 15 |
> >> |
| 16 |
> >> What I was wondering is which should be used for traffic intensive |
| 17 |
> >> connections in a deployment environment. Without starting any OpenVPN |
| 18 |
> >> vs OpenSwan debate, we would really like to keep the application level |
| 19 |
> >> to a minimum. Meaning if we could achieve the tunnel using the |
| 20 |
> >> required kernel modules, ipsec-tools and iptables, we see that as |
| 21 |
> >> keeping it simple and effective. |
| 22 |
> >> |
| 23 |
> >> Your insight, suggested how-to pages are greatly appreciated. |
| 24 |
> > |
| 25 |
> > To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates |
| 26 |
> > either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your |
| 27 |
> > service provider requires IPSec and IKE, best forget about OpenVPN. |
| 28 |
> > |
| 29 |
> > http://www.ipsec-howto.org/x304.html |
| 30 |
> > |
| 31 |
> > Look under "Automatic keyed connections using racoon" |
| 32 |
|
| 33 |
If your ISP is using IKEv1 Racoon *should* do what you want, but you may need |
| 34 |
to set up the routes manually. The up/down scripts in /etc/racoon/scripts do |
| 35 |
not work in my case and I have to set them up with ifconfig and ip. |
| 36 |
Apparently they work if you use xauth, according to this thread: |
| 37 |
|
| 38 |
http://forums.gentoo.org/viewtopic-p-6977674.html |
| 39 |
|
| 40 |
|
| 41 |
Instead, I opted for using StrongSwan, which is *much* better documented, |
| 42 |
supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools using |
| 43 |
a database back end. More importantly it also works with IKEv2 and MOBIKE. |
| 44 |
With racoon you will have to try racoon2 if you need IKEv2, which was in |
| 45 |
development back in 2010. |
| 46 |
|
| 47 |
You can read a comparison between the *Swans here, but things have moved on |
| 48 |
since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports |
| 49 |
part of IKEv2, etc: |
| 50 |
|
| 51 |
https://lists.strongswan.org/pipermail/users/2010-September/005293.html |
| 52 |
|
| 53 |
Ask if you need particular details in setting up your implementation. |
| 54 |
-- |
| 55 |
Regards, |
| 56 |
Mick |
Archives