[Swan] Opportunistic encryption with IPSec transport mode
Colony.three
colony.three at protonmail.ch
Fri Jan 19 17:13:19 UTC 2018
Well this was what I meant with my idea of a SuperLAN. But there was no connection to opportunistic encryption, nor attempt to clear up my questions and misconceptions. I've made no progress.
The barriers are too high for those of us who are busy with many other things.
-------- Original Message --------
On January 18, 2018 4:48 PM, Kenneth Jackson <kenjackson at live.com> wrote:
> Suppose I have a set of hosts and I want to leverage Paul’s [opportunistic encryption](https://events.static.linuxfound.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf) pattern, but I would prefer to use IPSec transport mode (type=transport) instead of tunnel mode so that my IP headers are unaltered.
>
> - Will the pattern still work as described in Paul’s presentation and the supporting conf files, etc.?
>
> - What would have to change in the config files?
>
> - There is so little documentation on transport mode – is this a bad path?
>
> FWIW, in the Windows world, Microsoft has been preaching IPSec transport mode under the heading “network isolation” for nearly 15 years and they run transport mode universally on their internal network:
>
> - https://technet.microsoft.com/en-us/library/cc163159.aspx (2005)
>
> - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725770(v=ws.10) (2012)
>
> - https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/server-isolation-policy-design (2017)
>
> Thanks in advance,
>
> Ken Jackson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180119/f48b742e/attachment.html>
More information about the Swan
mailing list