[tclug-list] IPsec again

Fri Jun 13 16:59:41 CDT 2014

The general idea of IPsec(as i understand it) was to provide
end-to-end encryption on the transport layer. this was back in the
days when the application layer didn't have encryption on its
own(http, telnet, ftp). As such there is a way to use IPsec as a
transport layer for VPNs by tunneling all traffic that is not the
IPsec encrypted through the IPsec connection. This is used by services
like l2tp/ipsec or Cisco and is widely used.

Ultimately the primary purpose of IPsec is obsolete as (almost)all
application layer services that are capable of passing authentication
tokens also have an encryption layer either on a dedicated SSL port or
implemented natively(StartTLS). If you want to implement a VPN service
then there are better(IMHO) and easier to administer alternatives. I
recommend OpenVPN but SSH can work in a pinch.

Using both application layer encryption AND transport layer encryption
is (generally speaking) redundant.

On Fri, Jun 13, 2014 at 4:19 PM, Chris Frederick <cdf123 at cdf123.net> wrote:
> On 06/13/14 13:21, Brian Wood wrote:
>>
>> I've been thinking about IPsec recently after not
>> making much progress with it previously.  I'm
>> wondering how it would work with my current
>> configuration.  Currently I run both nginx and
>> my code generation service on the same machine.
>> I also use ssh to login remotely.   If you have IPsec
>> running on a server, do you still use ssh to login to
>> that machine?
>
>
> I typically don't use ssh over ipsec.  ssh has pretty good security features
> already.  I mostly use it to secure ldap, and database connections.
>
> It's also good for tunneling through services on an internal network from a
> dmz.  The firewall just needs to allow ipsec through, and then the host
> firewall on the internal server can handle the port, and ipsec authenticates
> the two servers.  So you can't just bring up a new device and get the same
> access because the device isn't authenticated to the internal server.
>
>
>> I found this info
>>
>> http://link.springer.com/chapter/10.1007/11542322_29
>>
>> It looks like the authors found some problems with IPsec.
>
>
> I haven't read that yet, but the first page preview thing seems like it's
> confusing SSH with SSL.  May be a type-o.  The way it's referring to SSH
> doesn't sound right, where SSL would make more sense in it's place.
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list