<div>Well this was what I meant with my idea of a SuperLAN.  But there was no connection to opportunistic encryption, nor attempt to clear up my questions and misconceptions.  I've made no progress.<br></div><div><br></div><div>The barriers are too high for those of us who are busy with many other things.<br></div><div class="protonmail_signature_block protonmail_signature_block-empty"><div class="protonmail_signature_block-user protonmail_signature_block-empty"><br></div><div class="protonmail_signature_block-proton protonmail_signature_block-empty"><br></div></div><div><br></div><div><br></div><div>-------- Original Message --------<br></div><div> On January 18, 2018 4:48 PM, Kenneth Jackson <kenjackson@live.com> wrote:<br></div><div> <br></div><blockquote class="protonmail_quote" type="cite"><div class="WordSection1"><p class="MsoNormal"><span class="size" style="font-size:11pt">Suppose I have a set of hosts and I want to leverage Paul’s <a href="https://events.static.linuxfound.org/sites/events/files/slides/LinuxSecuritySummit-2016-OE-16x9.pdf"> opportunistic encryption</a> pattern, but I would prefer to use IPSec transport mode (type=transport) instead of tunnel mode so that my IP headers are unaltered.</span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><ol start="1" style="margin-top:0in" type="1"><li style="margin-left:0in;mso-list:l0 level1 lfo1" class="MsoListParagraph"><span class="size" style="font-size:11pt">Will the pattern still work as described in Paul’s presentation and the supporting conf files, etc.?</span><br></li><li style="margin-left:0in;mso-list:l0 level1 lfo1" class="MsoListParagraph"><span class="size" style="font-size:11pt">What would have to change in the config files?</span><br></li><li style="margin-left:0in;mso-list:l0 level1 lfo1" class="MsoListParagraph"><span class="size" style="font-size:11pt">There is so little documentation on transport mode – is this a bad path?</span><br></li></ol><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt">FWIW, in the Windows world, Microsoft has been preaching IPSec transport mode under the heading “network isolation” for nearly 15 years and they run transport mode universally on their internal network:</span><br></p><ul style="margin-top:0in" type="disc"><li style="margin-left:0in;mso-list:l1 level1 lfo2" class="MsoListParagraph"><span class="size" style="font-size:11pt"><a href="https://technet.microsoft.com/en-us/library/cc163159.aspx">https://technet.microsoft.com/en-us/library/cc163159.aspx</a> (2005)</span><br></li><li style="margin-left:0in;mso-list:l1 level1 lfo2" class="MsoListParagraph"><span class="size" style="font-size:11pt"><a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725770(v=ws.10)">https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725770(v=ws.10)</a> (2012)</span><br></li><li style="margin-left:0in;mso-list:l1 level1 lfo2" class="MsoListParagraph"><span class="size" style="font-size:11pt"><a href="https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/server-isolation-policy-design">https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/server-isolation-policy-design</a> (2017)</span><br></li></ul><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt">Thanks in advance,</span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt">Ken Jackson</span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"><span class="size" style="font-size:11pt"> </span><br></p><p class="MsoNormal"> <br></p></div></blockquote><div><br></div>