[Swan] Opportunistic encryption with IPSec transport mode
Kenneth Jackson
kenjackson at live.com
Fri Jan 19 00:48:33 UTC 2018
Suppose I have a set of hosts and I want to leverage Paul’s opportunistic encryption<https://events.static.linuxfound.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf> pattern, but I would prefer to use IPSec transport mode (type=transport) instead of tunnel mode so that my IP headers are unaltered.
1. Will the pattern still work as described in Paul’s presentation and the supporting conf files, etc.?
2. What would have to change in the config files?
3. There is so little documentation on transport mode – is this a bad path?
FWIW, in the Windows world, Microsoft has been preaching IPSec transport mode under the heading “network isolation” for nearly 15 years and they run transport mode universally on their internal network:
* https://technet.microsoft.com/en-us/library/cc163159.aspx (2005)
* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725770(v=ws.10) (2012)
* https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/server-isolation-policy-design (2017)
Thanks in advance,
Ken Jackson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180119/1b789309/attachment.html>
More information about the Swan
mailing list