nanog mailing list archives
Re: VPN recommendations?
From: Grant Taylor via NANOG <nanog () nanog org>
Date: Sat, 12 Feb 2022 13:24:47 -0700
On 2/11/22 12:35 PM, William Herrin wrote:
The thing to understand is that IPSec has two modes: transport and tunnel. Transport is between exactly two IP addresses while tunnel expects a broader network to exist on at least one end.
That is (syntactically) correct. However, it is possible to NAT many LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO ISP) and use IPSec /Transport/ Mode to a single remote IP. The IPSec sees exactly two IPs.
"Tunnel" mode is what everyone actually uses
I may be enough of an outlier that I'm a statistical anomaly. But I'm using IPSec /Transport/ Mode between my home router and my VPSs. I have a tiny full mesh of IPSec /Transport/ Mode connections.
Using the aforementioned many-to-one NAT, my home LAN systems access the single globally routed IP of each of my VPSs without any problem.
Aside: I did have to tweak MTU for LAN traffic going out to the VPS IPs.So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for /Transport/ Mode
but you can deconstruct it: it's built up from transport mode + a tunnel protocol (gre or ipip I don't remember which) + implicit routing and firewalling which wreaks havoc on dynamic routing.
I question the veracity of that statement. It may be that's what many implementations / administration systems do. But I really thought that IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined with some tunneling protocol.
Now, it turns out that you can instead configure IPSec in transport mode, configure the tunnel separately and leave out the implicit firewalling.
Agreed. I feel like this speaks to implementation / management systems that are built on top of IPSec.
It's not relevant to my situation, no. I need the VPN to establish a statically addressed clean layer 3 on top of dynamically addressed and natted endpoints to support the next appliance in the chain where dynamic addressing is not possible. I don't actually care if it adds security; it just needs to establish that statically addressed layer.
It sounds to me like you don't even actually need encryption of a typical VPN and might be able to use something like GRE+key or IPSec /Tunnel/ Mode with AH without ESP.
Oh yeah, and it has to be listed under "virtual private network" on the government NIAP list.https://www.niap-ccevs.org/product/PCL.cfm?ID624=34
Oh joy. Layer 8 - politics -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- VPN recommendations? William Herrin (Feb 10)
- RE: VPN recommendations? David Guo via NANOG (Feb 10)
- Re: VPN recommendations? Mike Lyon (Feb 10)
- Re: VPN recommendations? joy (Feb 10)
- Re: VPN recommendations? Dan Sneddon (Feb 11)
- Re: VPN recommendations? Mel Beckman (Feb 11)
- Re: VPN recommendations? William Herrin (Feb 11)
- Re: VPN recommendations? Christian de Larrinaga via NANOG (Feb 12)
- Re: VPN recommendations? Grant Taylor via NANOG (Feb 12)
- Re: VPN recommendations? Nathan Angelacos (Feb 12)
- Re: VPN recommendations? William Herrin (Feb 12)
- Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?) Grant Taylor via NANOG (Feb 15)
- Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?) Crist Clark (Feb 16)
- Re: VPN recommendations? Mike Lyon (Feb 10)
- RE: VPN recommendations? David Guo via NANOG (Feb 10)
- Re: VPN recommendations? John Gilmore (Feb 10)
- Re: VPN recommendations? Dave Taht (Feb 10)
- Re: VPN recommendations? Sean Kelly (Feb 10)
- Re: VPN recommendations? William Herrin (Feb 10)
- Re: VPN recommendations? Ander Punnar (Feb 10)