1 |
On Tue, Apr 6, 2021, at 10:35 AM, Grant Taylor wrote: |
2 |
> But I've started to get some more experience using IPsec without IKE |
3 |
> recently. |
4 |
> |
5 |
|
6 |
Can you clarify why you need to use IPsec? If it is to support a commercial |
7 |
client you may be better off handing them a system based around BSD. More |
8 |
flexibility will be had from Linux, but pfSense/OPNsense gives you a point and |
9 |
click web terminal which is easier to train in house IT on due to the |
10 |
documentation available. The modes are also usually sufficient -- site to site |
11 |
tunnel (like the appliances you're used to using), intranet protection, and |
12 |
routing options for the same. |
13 |
|
14 |
If you control everything you can use wireguard or OpenVPN. |
15 |
|
16 |
To answer some of your later questions in summary: |
17 |
1. Of the projects libreswan seems to best maintained, though openswan still |
18 |
releases regularly. I would start with libreswan. For racoon, see |
19 |
https://www.netbsd.org/docs/network/ipsec/rasvpn.html. |
20 |
2. Yes, see |
21 |
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2. Don't |
22 |
worry about embedding key material in your scripts (unless you expect someone |
23 |
has bugged your monitor). The key material has to be on disk in some form |
24 |
anyway. Typical usage has the tunnel creation commands referencing key |
25 |
material. Bash disables history in noninteractive shells by default. |
26 |
3. Drop opportunistic encryption. It's best if you or the user knows if the |
27 |
network is secure or not. |
28 |
4. The authentication header (AH) does not provide "security." Encapsulating |
29 |
security payload (ESP) provides confidentiality and, if selected, |
30 |
authentication. Check the docs -- usually you want authentication and |
31 |
confidentiality, merely confidentiality allows some classes of attacks. |
32 |
5. Transport mode may be most appropriate, however you could have tunnels |
33 |
between all servers for redundancy. |
34 |
6. Setting up the public key infrastructure will be most of the headache. |
35 |
|
36 |
> This is working and does enable IPsec /transport/ /mode/ between |
37 |
> $LeftHost and $RightHost. But it's completely manual at the moment. |
38 |
> |
39 |
|
40 |
Doesn't seem manual if you've got a script for it. A lot of people stop here. |
41 |
|
42 |
If you need consulting time I can offer it, but reading the linked pages should |
43 |
get you far enough along. I won't mind answering things in public but do |
44 |
wonder about your interest in IPsec. |