| 1 |
On Tue, Apr 6, 2021, at 10:35 AM, Grant Taylor wrote: |
| 2 |
> But I've started to get some more experience using IPsec without IKE |
| 3 |
> recently. |
| 4 |
> |
| 5 |
|
| 6 |
Can you clarify why you need to use IPsec? If it is to support a commercial |
| 7 |
client you may be better off handing them a system based around BSD. More |
| 8 |
flexibility will be had from Linux, but pfSense/OPNsense gives you a point and |
| 9 |
click web terminal which is easier to train in house IT on due to the |
| 10 |
documentation available. The modes are also usually sufficient -- site to site |
| 11 |
tunnel (like the appliances you're used to using), intranet protection, and |
| 12 |
routing options for the same. |
| 13 |
|
| 14 |
If you control everything you can use wireguard or OpenVPN. |
| 15 |
|
| 16 |
To answer some of your later questions in summary: |
| 17 |
1. Of the projects libreswan seems to best maintained, though openswan still |
| 18 |
releases regularly. I would start with libreswan. For racoon, see |
| 19 |
https://www.netbsd.org/docs/network/ipsec/rasvpn.html. |
| 20 |
2. Yes, see |
| 21 |
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2. Don't |
| 22 |
worry about embedding key material in your scripts (unless you expect someone |
| 23 |
has bugged your monitor). The key material has to be on disk in some form |
| 24 |
anyway. Typical usage has the tunnel creation commands referencing key |
| 25 |
material. Bash disables history in noninteractive shells by default. |
| 26 |
3. Drop opportunistic encryption. It's best if you or the user knows if the |
| 27 |
network is secure or not. |
| 28 |
4. The authentication header (AH) does not provide "security." Encapsulating |
| 29 |
security payload (ESP) provides confidentiality and, if selected, |
| 30 |
authentication. Check the docs -- usually you want authentication and |
| 31 |
confidentiality, merely confidentiality allows some classes of attacks. |
| 32 |
5. Transport mode may be most appropriate, however you could have tunnels |
| 33 |
between all servers for redundancy. |
| 34 |
6. Setting up the public key infrastructure will be most of the headache. |
| 35 |
|
| 36 |
> This is working and does enable IPsec /transport/ /mode/ between |
| 37 |
> $LeftHost and $RightHost. But it's completely manual at the moment. |
| 38 |
> |
| 39 |
|
| 40 |
Doesn't seem manual if you've got a script for it. A lot of people stop here. |
| 41 |
|
| 42 |
If you need consulting time I can offer it, but reading the linked pages should |
| 43 |
get you far enough along. I won't mind answering things in public but do |
| 44 |
wonder about your interest in IPsec. |
Archives