On 6/11/19 11:48 AM, Brian Wood wrote:
> Shalom
> 
> I've been trying to make some progress with IPsec.  I tried
> previously a few years ago, but didn't get very far with it.
> Some of the books I've looked at are from a Cisco
> perspective.  I'm not sure that's what I want.  I want
> something that will help me use IPsec on FreeBSD and
> Linux.

I should be able to help.  I've mostly used racoon/ipsec-tools myself, and those are ports from *bsd.

> I've read about transport and tunnel modes.  Is transport
> mode siimpler/easier to implement than tunnel mode?

No, they are different modes for different jobs, neither one is better or easier than the other. 
It's like comparing a knife with a fork, you could use only one or the other, but I would question 
why you would.

> Ideally, I may want to use tunnel mode, but if transport
> mode is simpler, I'd rather start with that.

Think of transport mode as end-to-end, or point-to-point.  You're creating an ipsec policy to 
encrypt/sign traffic from A to B.  This is assuming A can already get to B.  So it's basically a 
direct connection.

For tunnel modes, you're creating a route for A to get to B.  This doesn't require that A can 
already get to B, and usually assumes one or two other machines are going to be in the middle. 
Here's a simple tunnel example.  Given you want A to talk to B, you would set up a ipsec tunnel on X 
to ipsec encrypt/sign packets and route them through to Y which would decrypt them and forward them 
on to B.  In this case A and B have no idea that they are using ipsec.

A -{raw packet}-> X -{ipsec}-> Y -{raw packet}-> B

Where it gets confusing is A and X can be one machine, or two.  And so can Y and B.  Usually X and Y 
are gateway routers, and A/B are in private subnets behind them.

> Do you have any tips or sites for getting started with it?
> Thank you in advance.

Can't help much here.  Most sites I've used weren't helpful until after I had stumbled through 
everything and got a better understanding of how it all works.  A lot of sites seem to provide a 
"HOWTO" approach that blends things together so it was harder to understand any individual piece. 
Best advice is to take it slow, focus on one technology first (ipsec-tools), then move on to more 
advanced stuff (racoon) once you understand it better and have a couple working examples.  I would 
start with something that can run VirtualBox or Vmware, and spin up a couple of vms and try to get 
it working between them.

I'm happy to help if you have any questions.

> 
> 
> Brian
> Ebenezer Enterprises - "Those who trust in their riches will fall,
> but the righteous will thrive like a green leaf."  Proverbs 11:28
> https://github.com/Ebenezer-group/onwards
> 
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>