On Tue, Apr 6, 2021, at 10:35 AM, Grant Taylor wrote: > But I've started to get some more experience using IPsec without IKE > recently. >
Can you clarify why you need to use IPsec? If it is to support a commercial client you may be better off handing them a system based around BSD. More flexibility will be had from Linux, but pfSense/OPNsense gives you a point and click web terminal which is easier to train in house IT on due to the documentation available. The modes are also usually sufficient -- site to site tunnel (like the appliances you're used to using), intranet protection, and routing options for the same. If you control everything you can use wireguard or OpenVPN. To answer some of your later questions in summary: 1. Of the projects libreswan seems to best maintained, though openswan still releases regularly. I would start with libreswan. For racoon, see https://www.netbsd.org/docs/network/ipsec/rasvpn.html. 2. Yes, see https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2. Don't worry about embedding key material in your scripts (unless you expect someone has bugged your monitor). The key material has to be on disk in some form anyway. Typical usage has the tunnel creation commands referencing key material. Bash disables history in noninteractive shells by default. 3. Drop opportunistic encryption. It's best if you or the user knows if the network is secure or not. 4. The authentication header (AH) does not provide "security." Encapsulating security payload (ESP) provides confidentiality and, if selected, authentication. Check the docs -- usually you want authentication and confidentiality, merely confidentiality allows some classes of attacks. 5. Transport mode may be most appropriate, however you could have tunnels between all servers for redundancy. 6. Setting up the public key infrastructure will be most of the headache. > This is working and does enable IPsec /transport/ /mode/ between > $LeftHost and $RightHost. But it's completely manual at the moment. > Doesn't seem manual if you've got a script for it. A lot of people stop here. If you need consulting time I can offer it, but reading the linked pages should get you far enough along. I won't mind answering things in public but do wonder about your interest in IPsec.