VPN recommendations?

• Previous message (by thread): VPN recommendations?
• Next message (by thread): VPN recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/11/22 12:35 PM, William Herrin wrote:
> The thing to understand is that IPSec has two modes: transport and 
> tunnel. Transport is between exactly two IP addresses while tunnel 
> expects a broader network to exist on at least one end.

That is (syntactically) correct.  However, it is possible to NAT many 
LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO ISP) 
and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees 
exactly two IPs.

> "Tunnel" mode is what everyone actually uses

I may be enough of an outlier that I'm a statistical anomaly.  But I'm 
using IPSec /Transport/ Mode between my home router and my VPSs.  I have 
a tiny full mesh of IPSec /Transport/ Mode connections.

Using the aforementioned many-to-one NAT, my home LAN systems access the 
single globally routed IP of each of my VPSs without any problem.

Aside:  I did have to tweak MTU for LAN traffic going out to the VPS IPs.

So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
/Transport/ Mode

> but you can deconstruct it: it's built up from transport mode + 
> a tunnel protocol (gre or ipip I don't remember which) + implicit 
> routing and firewalling which wreaks havoc on dynamic routing.

I question the veracity of that statement.  It may be that's what many 
implementations / administration systems do.  But I really thought that 
IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined 
with some tunneling protocol.

> Now, it turns out that you can instead configure IPSec in transport 
> mode, configure the tunnel separately and leave out the implicit 
> firewalling.

Agreed.  I feel like this speaks to implementation / management systems 
that are built on top of IPSec.

> It's not relevant to my situation, no. I need the VPN to establish 
> a statically addressed clean layer 3 on top of dynamically addressed 
> and natted endpoints to support the next appliance in the chain where 
> dynamic addressing is not possible. I don't actually care if it adds 
> security; it just needs to establish that statically addressed layer.

It sounds to me like you don't even actually need encryption of a 
typical VPN and might be able to use something like GRE+key or IPSec 
/Tunnel/ Mode with AH without ESP.

> Oh yeah, and it has to be listed under "virtual private network" 
> on the government NIAP list.
> https://www.niap-ccevs.org/product/PCL.cfm?ID624=34

Oh joy.  Layer 8 - politics



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220212/57811e29/attachment.bin>

• Previous message (by thread): VPN recommendations?
• Next message (by thread): VPN recommendations?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]