[Swan] Opportunistic encryption with IPSec transport mode
Paul Wouters
paul at nohats.ca
Fri Jan 19 02:08:30 UTC 2018
On Fri, 19 Jan 2018, Kenneth Jackson wrote:
> Suppose I have a set of hosts and I want to leverage Paul’s opportunistic encryption pattern, but I would prefer to use IPSec
> transport mode (type=transport) instead of tunnel mode so that my IP headers are unaltered.
>
> 1. Will the pattern still work as described in Paul’s presentation and the supporting conf files, etc.?
> 2. What would have to change in the config files?
> 3. There is so little documentation on transport mode – is this a bad path?
Just add type=transport to the private, private-or-clear and
clear-or-private connections.
> FWIW, in the Windows world, Microsoft has been preaching IPSec transport mode under the heading “network isolation” for nearly 15
> years and they run transport mode universally on their internal network:
It works fine in a LAN, but as soon as NAT happens, you end up really
wanting to be back in tunnel mode. The IKEv2 RFC even only has a way
to suggest (not mandate) transport mode. So every IKEv2 implementation
compliant to the RFC must allow tunnel mode if the other end does not
confirm the request for transport mode.
Paul
More information about the Swan
mailing list