1 |
On Sunday 12 May 2013 03:37:48 Nick Khamis wrote: |
2 |
> Thanks yet again Michael! Enjoy your weekend. |
3 |
> |
4 |
> N. |
5 |
> |
6 |
> On 5/11/13, Michael Mol <mikemol@×××××.com> wrote: |
7 |
> > On 05/11/2013 03:13 PM, Nick Khamis wrote: |
8 |
> >> Hello Everyone, |
9 |
> >> |
10 |
> >> Our service provider requires all connections between us be done |
11 |
> >> through IPSec IKE. From the little bit of research, I found that this |
12 |
> >> is achieved using a system with IPSec kernel modules enabled, along |
13 |
> >> with cryptography modules. On the application level, I saw ipsec tool, |
14 |
> >> OpenSWAN, and OpenVPN. |
15 |
> >> |
16 |
> >> What I was wondering is which should be used for traffic intensive |
17 |
> >> connections in a deployment environment. Without starting any OpenVPN |
18 |
> >> vs OpenSwan debate, we would really like to keep the application level |
19 |
> >> to a minimum. Meaning if we could achieve the tunnel using the |
20 |
> >> required kernel modules, ipsec-tools and iptables, we see that as |
21 |
> >> keeping it simple and effective. |
22 |
> >> |
23 |
> >> Your insight, suggested how-to pages are greatly appreciated. |
24 |
> > |
25 |
> > To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates |
26 |
> > either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your |
27 |
> > service provider requires IPSec and IKE, best forget about OpenVPN. |
28 |
> > |
29 |
> > http://www.ipsec-howto.org/x304.html |
30 |
> > |
31 |
> > Look under "Automatic keyed connections using racoon" |
32 |
|
33 |
If your ISP is using IKEv1 Racoon *should* do what you want, but you may need |
34 |
to set up the routes manually. The up/down scripts in /etc/racoon/scripts do |
35 |
not work in my case and I have to set them up with ifconfig and ip. |
36 |
Apparently they work if you use xauth, according to this thread: |
37 |
|
38 |
http://forums.gentoo.org/viewtopic-p-6977674.html |
39 |
|
40 |
|
41 |
Instead, I opted for using StrongSwan, which is *much* better documented, |
42 |
supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools using |
43 |
a database back end. More importantly it also works with IKEv2 and MOBIKE. |
44 |
With racoon you will have to try racoon2 if you need IKEv2, which was in |
45 |
development back in 2010. |
46 |
|
47 |
You can read a comparison between the *Swans here, but things have moved on |
48 |
since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports |
49 |
part of IKEv2, etc: |
50 |
|
51 |
https://lists.strongswan.org/pipermail/users/2010-September/005293.html |
52 |
|
53 |
Ask if you need particular details in setting up your implementation. |
54 |
-- |
55 |
Regards, |
56 |
Mick |