On 6/11/19 11:48 AM, Brian Wood wrote:
> Shalom
>
> I've been trying to make some progress with IPsec. I tried
> previously a few years ago, but didn't get very far with it.
> Some of the books I've looked at are from a Cisco
> perspective. I'm not sure that's what I want. I want
> something that will help me use IPsec on FreeBSD and
> Linux.
I should be able to help. I've mostly used racoon/ipsec-tools myself, and those are ports from *bsd.
> I've read about transport and tunnel modes. Is transport
> mode siimpler/easier to implement than tunnel mode?
No, they are different modes for different jobs, neither one is better or easier than the other.
It's like comparing a knife with a fork, you could use only one or the other, but I would question
why you would.
> Ideally, I may want to use tunnel mode, but if transport
> mode is simpler, I'd rather start with that.
Think of transport mode as end-to-end, or point-to-point. You're creating an ipsec policy to
encrypt/sign traffic from A to B. This is assuming A can already get to B. So it's basically a
direct connection.
For tunnel modes, you're creating a route for A to get to B. This doesn't require that A can
already get to B, and usually assumes one or two other machines are going to be in the middle.
Here's a simple tunnel example. Given you want A to talk to B, you would set up a ipsec tunnel on X
to ipsec encrypt/sign packets and route them through to Y which would decrypt them and forward them
on to B. In this case A and B have no idea that they are using ipsec.
A -{raw packet}-> X -{ipsec}-> Y -{raw packet}-> B
Where it gets confusing is A and X can be one machine, or two. And so can Y and B. Usually X and Y
are gateway routers, and A/B are in private subnets behind them.
> Do you have any tips or sites for getting started with it?
> Thank you in advance.
Can't help much here. Most sites I've used weren't helpful until after I had stumbled through
everything and got a better understanding of how it all works. A lot of sites seem to provide a
"HOWTO" approach that blends things together so it was harder to understand any individual piece.
Best advice is to take it slow, focus on one technology first (ipsec-tools), then move on to more
advanced stuff (racoon) once you understand it better and have a couple working examples. I would
start with something that can run VirtualBox or Vmware, and spin up a couple of vms and try to get
it working between them.
I'm happy to help if you have any questions.
>
>
> Brian
> Ebenezer Enterprises - "Those who trust in their riches will fall,
> but the righteous will thrive like a green leaf." Proverbs 11:28
> https://github.com/Ebenezer-group/onwards
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>