Suppose I have a set of hosts and I want to leverage Paul’s opportunistic encryption<https://events.static.linuxfound.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf> pattern, but I would prefer to use IPSec transport mode (type=transport) instead of tunnel mode so that my IP headers are unaltered.
1. Will the pattern still work as described in Paul’s presentation and the supporting conf files, etc.? 2. What would have to change in the config files? 3. There is so little documentation on transport mode – is this a bad path? FWIW, in the Windows world, Microsoft has been preaching IPSec transport mode under the heading “network isolation” for nearly 15 years and they run transport mode universally on their internal network: * https://technet.microsoft.com/en-us/library/cc163159.aspx (2005) * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725770(v=ws.10) (2012) * https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/server-isolation-policy-design (2017) Thanks in advance, Ken Jackson
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
