[tclug-list] IPsec

Tue Jun 11 22:03:26 CDT 2019

I use Raccoon via pfSense. 

> On Jun 11, 2019, at 1:26 PM, Chris Frederick <cdf123 at cdf123.net> wrote:
> 
> On 6/11/19 11:48 AM, Brian Wood wrote:
>> Shalom
>> I've been trying to make some progress with IPsec.  I tried
>> previously a few years ago, but didn't get very far with it.
>> Some of the books I've looked at are from a Cisco
>> perspective.  I'm not sure that's what I want.  I want
>> something that will help me use IPsec on FreeBSD and
>> Linux.
> 
> I should be able to help.  I've mostly used racoon/ipsec-tools myself, and those are ports from *bsd.
> 
>> I've read about transport and tunnel modes.  Is transport
>> mode siimpler/easier to implement than tunnel mode?
> 
> No, they are different modes for different jobs, neither one is better or easier than the other. It's like comparing a knife with a fork, you could use only one or the other, but I would question why you would.
> 
>> Ideally, I may want to use tunnel mode, but if transport
>> mode is simpler, I'd rather start with that.
> 
> Think of transport mode as end-to-end, or point-to-point.  You're creating an ipsec policy to encrypt/sign traffic from A to B.  This is assuming A can already get to B.  So it's basically a direct connection.
> 
> For tunnel modes, you're creating a route for A to get to B.  This doesn't require that A can already get to B, and usually assumes one or two other machines are going to be in the middle. Here's a simple tunnel example.  Given you want A to talk to B, you would set up a ipsec tunnel on X to ipsec encrypt/sign packets and route them through to Y which would decrypt them and forward them on to B.  In this case A and B have no idea that they are using ipsec.
> 
> A -{raw packet}-> X -{ipsec}-> Y -{raw packet}-> B
> 
> Where it gets confusing is A and X can be one machine, or two.  And so can Y and B.  Usually X and Y are gateway routers, and A/B are in private subnets behind them.
> 
>> Do you have any tips or sites for getting started with it?
>> Thank you in advance.
> 
> Can't help much here.  Most sites I've used weren't helpful until after I had stumbled through everything and got a better understanding of how it all works.  A lot of sites seem to provide a "HOWTO" approach that blends things together so it was harder to understand any individual piece. Best advice is to take it slow, focus on one technology first (ipsec-tools), then move on to more advanced stuff (racoon) once you understand it better and have a couple working examples.  I would start with something that can run VirtualBox or Vmware, and spin up a couple of vms and try to get it working between them.
> 
> I'm happy to help if you have any questions.
> 
>> Brian
>> Ebenezer Enterprises - "Those who trust in their riches will fall,
>> but the righteous will thrive like a green leaf."  Proverbs 11:28
>> https://github.com/Ebenezer-group/onwards
>> _______________________________________________
>> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
>> tclug-list at mn-linux.org
>> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list