On 6/11/19 11:48 AM, Brian Wood wrote: > Shalom > > I've been trying to make some progress with IPsec. I tried > previously a few years ago, but didn't get very far with it. > Some of the books I've looked at are from a Cisco > perspective. I'm not sure that's what I want. I want > something that will help me use IPsec on FreeBSD and > Linux. I should be able to help. I've mostly used racoon/ipsec-tools myself, and those are ports from *bsd. > I've read about transport and tunnel modes. Is transport > mode siimpler/easier to implement than tunnel mode? No, they are different modes for different jobs, neither one is better or easier than the other. It's like comparing a knife with a fork, you could use only one or the other, but I would question why you would. > Ideally, I may want to use tunnel mode, but if transport > mode is simpler, I'd rather start with that. Think of transport mode as end-to-end, or point-to-point. You're creating an ipsec policy to encrypt/sign traffic from A to B. This is assuming A can already get to B. So it's basically a direct connection. For tunnel modes, you're creating a route for A to get to B. This doesn't require that A can already get to B, and usually assumes one or two other machines are going to be in the middle. Here's a simple tunnel example. Given you want A to talk to B, you would set up a ipsec tunnel on X to ipsec encrypt/sign packets and route them through to Y which would decrypt them and forward them on to B. In this case A and B have no idea that they are using ipsec. A -{raw packet}-> X -{ipsec}-> Y -{raw packet}-> B Where it gets confusing is A and X can be one machine, or two. And so can Y and B. Usually X and Y are gateway routers, and A/B are in private subnets behind them. > Do you have any tips or sites for getting started with it? > Thank you in advance. Can't help much here. Most sites I've used weren't helpful until after I had stumbled through everything and got a better understanding of how it all works. A lot of sites seem to provide a "HOWTO" approach that blends things together so it was harder to understand any individual piece. Best advice is to take it slow, focus on one technology first (ipsec-tools), then move on to more advanced stuff (racoon) once you understand it better and have a couple working examples. I would start with something that can run VirtualBox or Vmware, and spin up a couple of vms and try to get it working between them. I'm happy to help if you have any questions. > > > Brian > Ebenezer Enterprises - "Those who trust in their riches will fall, > but the righteous will thrive like a green leaf." Proverbs 11:28 > https://github.com/Ebenezer-group/onwards > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list >