On 12/13/2017 09:44 AM, Bill Shirley wrote:
> I don't see that SSH tunneling or running IPSEC in a VM as a security
> gain. It
> would be very complex with multiple points of failure. If you don't
> trust the traffic
> from the other endpoint, filter it with Shorewall after it's
> decrypted. After decryption
> a packet will traverse the Shorewall rules where you can DROP or
> REJECT if
> desired.
>
> Also, with a IPSEC using manual keying, you don't even need
> LibreSwan. Look
> at /usr/share/doc/initscripts/sysconfig.txt for IPSEC setup.
>
> Bill
Bill, I do trust my laptop and remote LAN. Point is, if I run the IPSec
left (server) on my router (the VM which provides outside access to the
LAN), if ne'er-do-wells compromise ipsec they will be inside my router.
I don't want this. If they compromise ipsec I want them to end up
inside a benign machine.
I just don't know how to tunnel UDP.
It's not a good idea to use ipsec with PSK anymore. I'll be using
(self-genned) certs only. RSA was compromised in 2014 (granted, NSA),
and Schnier say he doesn't trust EC because the curves NSA submitted to
NIST are related.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
