On Friday, 6 April 2018 19:20:09 BST Grant Taylor wrote: > On 04/06/2018 11:58 AM, Mick wrote: > > I think you mean IKEv2 + IPSec? > > I don't remember IKE<anything> involved the last time I had to manually > set up an IPSec connection between two Windows systems (or Windows and a > Netgear router). I think it was /completely/ manual and PSK.
Domestic grade routers which offer IKEv1, typically use PSK for authentication, not TLS certificates. The PSK is what IKE uses in userspace to establish a secure connection with authentication between peers for the purpose of exchanging the IPSec keys to encrypt the tunnel with. If you check the 2nd sentence in the wiki page below, it confirms MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec > > IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the > > tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will > > all be encrypted when sent through through the IPSec encrypted tunnel. > > I remember doing a little bit with IKE 10+ years ago back when it was > OpenSWAN / FreeSWAN. OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN. Anyway, part of the IKEv2 standard is to offer support for mobile and multihomed users (MOBIKE). Although IKE operates in userspace, the IPSec stack is in kernelspace and its performance superior to userspace VPN technologies. Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey, but I have not tried it out yet. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
