On 04/06/2018 11:58 AM, Mick wrote:
I think you mean IKEv2 + IPSec?
I don't remember IKE<anything> involved the last time I had to manually
set up an IPSec connection between two Windows systems (or Windows and a
Netgear router). I think it was /completely/ manual and PSK.
IKEv2 is used to exchange keys and IPSec is used to set up and encrypt the
tunnel itself. The tunnel is operating at layer 2, so TCP/UDP/ICMP will
all be encrypted when sent through through the IPSec encrypted tunnel.
I remember doing a little bit with IKE 10+ years ago back when it was
OpenSWAN / FreeSWAN.
This is using L2TP for encapsulating the frames + IKEv1 for secure key
exchange + IPsec for encryption of the L2TP tunnel.
ACK
Well said:
*chuckle*
https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security
It is an obsolete method with poor security. I would not use it under
any circumstances, unless security is of no importance.
Agreed.
As I mentioned before, there is also IKEv2+IPSec, which allows the client
to roam between networks without dropping the connection.
Intriguing. I've never considered IPSec with a road warrior, much less
an established connection with a changing IP address. I would have been
much more likely to look at OpenVPN or Wireguard or OpenSSH.
Finally, there is SSTP encrypting PPP frames within TLS. I don't know
why one would use this instead of OpenVPN, except that it comes as part
of the MSWindows package, while OpenVPN has to be installed separately.
SSTP is a new one on me.
+1
They are also easier to set up initially, because both MSWindows peers
will use the same combo of encryption suites, ciphers, etc. Half of
the pain of getting MSWindows to work with a Linux VPN gateway is often
finding how to configure the cipher, hash and X509v3 extensions of a
TLS certificate in a way that MSWindows will not barf; e.g. IIRC, last
time I looked at a Windows 7 IKEv2/IPSec VPN, the TLS certificates would
only accept AES128 keys and SHA1. Anything more onerous would not be
accepted by the MSoft TLS key manager.
Agreed.
--
Grant. . . .
unix || die