From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A0DD71381F3 for ; Sun, 12 May 2013 07:42:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1F3B7E08E2; Sun, 12 May 2013 07:42:45 +0000 (UTC) Received: from mail-we0-f173.google.com (mail-we0-f173.google.com [74.125.82.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B3B92E08B5 for ; Sun, 12 May 2013 07:42:43 +0000 (UTC) Received: by mail-we0-f173.google.com with SMTP id q54so5192711wes.32 for ; Sun, 12 May 2013 00:42:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:reply-to:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=icpDAZ7091rgoYms1J3+MM5omHfAfBKkJjNFwKeenmQ=; b=zmlX+Fg7eXiV7iuTeDq4VVmc61g7r72nyfS8bdomXHG8Jdgftx8okVvKgKCBx06mYh 58dSS3IExB7uGYa/DbKxzALvPOGXdFAagxQ8RNlBKIvtPSfh1eEDiS8dbUP2o4po/wuO REAXOP7LawElhqPMg9j23+K/L7tCD8YFtro2t6+b242EFzRDkm55bxTWLINhH6E/cMMO wpWodqf2iDD869+zATR0OtSO/nT56e55kn2mZLE7WDqWYoWNE/pfzuB/6JDVT5NpX1Bg nQWLk9IgGctsvdf+b0XObdNZgi0M9pMqEbXEWGoJu6FjztKixNo0DFxvdiO93CT18yzE hiWA== X-Received: by 10.180.83.199 with SMTP id s7mr12025709wiy.19.1368344562323; Sun, 12 May 2013 00:42:42 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id dq8sm8532082wib.1.2013.05.12.00.42.40 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 12 May 2013 00:42:41 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Traffic Intensive IPSec Tunnel Date: Sun, 12 May 2013 08:42:18 +0100 User-Agent: KMail/1.13.7 (Linux/3.7.10-gentoo; KDE/4.10.2; x86_64; ; ) References: <518EFB06.4000000@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart136839519.KMP1Atmxcx"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201305120842.37821.michaelkintzios@gmail.com> X-Archives-Salt: e0b9b277-f3e8-43f0-9e28-b5be6e90949a X-Archives-Hash: 071b4e8ef8b7248b87b9e2501da96f23 --nextPart136839519.KMP1Atmxcx Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sunday 12 May 2013 03:37:48 Nick Khamis wrote: > Thanks yet again Michael! Enjoy your weekend. >=20 > N. >=20 > On 5/11/13, Michael Mol wrote: > > On 05/11/2013 03:13 PM, Nick Khamis wrote: > >> Hello Everyone, > >>=20 > >> Our service provider requires all connections between us be done > >> through IPSec IKE. From the little bit of research, I found that this > >> is achieved using a system with IPSec kernel modules enabled, along > >> with cryptography modules. On the application level, I saw ipsec tool, > >> OpenSWAN, and OpenVPN. > >>=20 > >> What I was wondering is which should be used for traffic intensive > >> connections in a deployment environment. Without starting any OpenVPN > >> vs OpenSwan debate, we would really like to keep the application level > >> to a minimum. Meaning if we could achieve the tunnel using the > >> required kernel modules, ipsec-tools and iptables, we see that as > >> keeping it simple and effective. > >>=20 > >> Your insight, suggested how-to pages are greatly appreciated. > >=20 > > To my knowledge, OpenVPN does not use IPSec. Instead, it encapsulates > > either IP/IPv6 (tun mode) or layer 2 (tap mode) over TLS. If your > > service provider requires IPSec and IKE, best forget about OpenVPN. > >=20 > > http://www.ipsec-howto.org/x304.html > >=20 > > Look under "Automatic keyed connections using racoon" If your ISP is using IKEv1 Racoon *should* do what you want, but you may ne= ed=20 to set up the routes manually. The up/down scripts in /etc/racoon/scripts = do=20 not work in my case and I have to set them up with ifconfig and ip. =20 Apparently they work if you use xauth, according to this thread: http://forums.gentoo.org/viewtopic-p-6977674.html Instead, I opted for using StrongSwan, which is *much* better documented,=20 supports additional ciphers, RADIUS, etc. and allocation of IKEv1 pools usi= ng=20 a database back end. More importantly it also works with IKEv2 and MOBIKE.= =20 With racoon you will have to try racoon2 if you need IKEv2, which was in=20 development back in 2010. You can read a comparison between the *Swans here, but things have moved on= =20 since; e.g. StrongSwan supports IKEv1 in Aggressive Mode, OpenSwan supports= =20 part of IKEv2, etc: https://lists.strongswan.org/pipermail/users/2010-September/005293.html Ask if you need particular details in setting up your implementation. =2D-=20 Regards, Mick --nextPart136839519.KMP1Atmxcx Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAABAgAGBQJRj0ftAAoJELAdA+zwE4Ye7FgIALXdkNRLs9/kqM2YyuS0cxfg 5sXQKr2wi+V29CU0jgqd6fy0KQEQ48XMCTOn6NkmeXgDaLNZirOxDvSSyRejFcvv 5KOWYr/e3LA9ccERFq+d6GW4K/JG34sUhd7wVWbiHGMutins7Dpd/G9Flc4Yi/Ok PsvnQY+9vnnI8chqij7LqQVY6tt2PNwF7uYoUMCfPsUx5WYyKhfAvq9MqNoOw5MM +XWIHdXdb88n2Gfw62LS+O16vheUky9tE2hnKUGhPsM4jIvaSmlZhLzAoMdppaSu aD9kfl49xRaGcTp+58vNmw7f3fYtFFni+Er9aS8I0/Z81xM/b4GQFhcVZUQNfYc= =iPVO -----END PGP SIGNATURE----- --nextPart136839519.KMP1Atmxcx--