Hi,
On Sun, Apr 04, 2021 at 07:54:50PM -0600, Grant Taylor wrote:
>
> Does anyone have any experience with IPsec? Preferably on Gentoo or
> Linux in general?
I have some experience with IPsec, mostly with non-Linux systems, but
a bit with Linux as well (but not Gentoo). But it's been a while since
I last configured IPsec on a Linux system...
> I'd like to discuss some things (probably off list) while wading
> into the IPsec pool. E.g.:
>
> - ip xfrm ...
This affects the kernel part of IPsec, i.e., bulk encryption and/or
integrity protection, only.
> - strongSwan
> - Libraswan
This is used to negotiate the parameters that are to be installed in the
kernel.
> - X.509 certificate based authentication, preferably /mutual/
> - Opportunistic Encryption
Since I have little experience with the above (back when I had to use
IKE version 1, so no *swan on the Linux side, and there were pre-shared
keys, and I never actually used "ip xfrm"), I can primarily help with
conceptual questions.
> - Transport Mode
> - Tunnel Mode
Use of one or the other depends on your requirements.
Thanks,
Erik
--
It's impossible to learn very much by simply sitting in a lecture,
or even by simply doing problems that are assigned.
-- Richard P. Feynman
