On Sunday 12 May 2013 03:37:48 Nick Khamis wrote: > Thanks yet again Michael! Enjoy your weekend. > > N. > > On 5/11/13, Michael Mol <mike...@gmail.com> wrote: > > On 05/11/2013 03:13 PM, Nick Khamis wrote: > >> Hello Everyone, > >> > >> Our service provider requires all connections between us be done > >> through IPSec IKE. From the little bit of research, I found that this > >> is achieved using a system with IPSec kernel modules enabled, along > >> with cryptography modules. On the application level, I saw ipsec tool, > >> OpenSWAN, and OpenVPN. > >> > >> What I was wondering is which should be used for traffic intensive > >> connections in a deployment environment. Without starting any OpenVPN > >> vs OpenSwan debate, we would really like to keep the application level > >> to a minimum. Meaning if we could achieve the tunnel using the > >> required kernel modules, ipsec-tools and iptables, we see that as > >> keeping it simple and effective. > >> > >> Your insight, suggested how-to pages are greatly appreciated. > > > > To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates > > either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your > > service provider requires IPSec and IKE, best forget about OpenVPN. > > > > http://www.ipsec-howto.org/x304.html > > > > Look under "Automatic keyed connections using racoon"
If your ISP is using IKEv1 Racoon *should* do what you want, but you may need to set up the routes manually. The up/down scripts in /etc/racoon/scripts do not work in my case and I have to set them up with ifconfig and ip. Apparently they work if you use xauth, according to this thread: http://forums.gentoo.org/viewtopic-p-6977674.html Instead, I opted for using StrongSwan, which is *much* better documented, supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools using a database back end. More importantly it also works with IKEv2 and MOBIKE. With racoon you will have to try racoon2 if you need IKEv2, which was in development back in 2010. You can read a comparison between the *Swans here, but things have moved on since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports part of IKEv2, etc: https://lists.strongswan.org/pipermail/users/2010-September/005293.html Ask if you need particular details in setting up your implementation. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
