On 04/06/2018 04:51 PM, Mick wrote:
Domestic grade routers which offer IKEv1, typically use PSK for
authentication, not TLS certificates. The PSK is what IKE uses in
userspace to establish a secure connection with authentication between
peers for the purpose of exchanging the IPSec keys to encrypt the
tunnel with.
ACK All of that makes sense. Thank you for clarifying / confirming
what I suspsected was the case.
I don't /remember/ IKE being involved in what I was doing. But there's
a chance that it was happening without me being aware of it.
If you check the 2nd sentence in the wiki page below, it confirms
MSWindows L2TP/IPSec uses IKEv1 to exchange the IPSec keys:
https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server#IPsec
I don't remember L2TP being involved either. But that doesn't mean that
it wasn't.
If memory serves (and it often does not) I was manually configuring
IPSec policies via a GPEdit snapin. It was extremly low level and
obtuse to configure.
OpenSWAN was forked into LibreSWAN and FreeSWAN is now called StrongSWAN.
Anyway, part of the IKEv2 standard is to offer support for mobile and
multihomed users (MOBIKE).
Hum. I've not payed attention to *SWAN as I've not needed to use it. I
also thought that IPSec was a LOT more complicated than other
technologies. Plus, I was dealing with more road warrior type things
than site-to-site. (It's my understanding that IPSec is (or was) not
really friendly for mobile.)
Although IKE operates in userspace, the IPSec stack is in kernelspace
and its performance superior to userspace VPN technologies.
My understanding is that IKE was just used to boot strap and maintain
the in kernl IPSec. Thus IKE could easily run in user space.
Apparently Wireguard is even more efficient than the IPSec's xfrm/netkey,
but I have not tried it out yet.
I've not messed with Wireguard yet. But it's on my list if I ever need
/ want to mess with VPNs.
--
Grant. . . .
unix || die
