nanog mailing list archives

Re: VPN recommendations?

From: Grant Taylor via NANOG <nanog () nanog org>
Date: Sat, 12 Feb 2022 13:24:47 -0700

On 2/11/22 12:35 PM, William Herrin wrote:

The thing to understand is that IPSec has two modes: transport andtunnel. Transport is between exactly two IP addresses while tunnelexpects a broader network to exist on at least one end.

That is (syntactically) correct. However, it is possible to NAT manyLAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO ISP)and use IPSec /Transport/ Mode to a single remote IP. The IPSec seesexactly two IPs.

"Tunnel" mode is what everyone actually uses

I may be enough of an outlier that I'm a statistical anomaly. But I'musing IPSec /Transport/ Mode between my home router and my VPSs. I havea tiny full mesh of IPSec /Transport/ Mode connections.

Using the aforementioned many-to-one NAT, my home LAN systems access thesingle globally routed IP of each of my VPSs without any problem.


Aside:  I did have to tweak MTU for LAN traffic going out to the VPS IPs.

So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for/Transport/ Mode

but you can deconstruct it: it's built up from transport mode +a tunnel protocol (gre or ipip I don't remember which) + implicitrouting and firewalling which wreaks havoc on dynamic routing.

I question the veracity of that statement. It may be that's what manyimplementations / administration systems do. But I really thought thatIPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combinedwith some tunneling protocol.

Now, it turns out that you can instead configure IPSec in transportmode, configure the tunnel separately and leave out the implicitfirewalling.

Agreed. I feel like this speaks to implementation / management systemsthat are built on top of IPSec.

It's not relevant to my situation, no. I need the VPN to establisha statically addressed clean layer 3 on top of dynamically addressedand natted endpoints to support the next appliance in the chain wheredynamic addressing is not possible. I don't actually care if it addssecurity; it just needs to establish that statically addressed layer.

It sounds to me like you don't even actually need encryption of atypical VPN and might be able to use something like GRE+key or IPSec/Tunnel/ Mode with AH without ESP.

Oh yeah, and it has to be listed under "virtual private network"on the government NIAP list.
https://www.niap-ccevs.org/product/PCL.cfm?ID624=34


Oh joy.  Layer 8 - politics



--
Grant. . . .
unix || die

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

VPN recommendations? William Herrin (Feb 10)
- RE: VPN recommendations? David Guo via NANOG (Feb 10)
  - Re: VPN recommendations? Mike Lyon (Feb 10)
    - Re: VPN recommendations? joy (Feb 10)
    - Re: VPN recommendations? Dan Sneddon (Feb 11)
    - Re: VPN recommendations? Mel Beckman (Feb 11)
    - Re: VPN recommendations? William Herrin (Feb 11)
    - Re: VPN recommendations? Christian de Larrinaga via NANOG (Feb 12)
    - Re: VPN recommendations? Grant Taylor via NANOG (Feb 12)
    - Re: VPN recommendations? Nathan Angelacos (Feb 12)
    - Re: VPN recommendations? William Herrin (Feb 12)
    - Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?) Grant Taylor via NANOG (Feb 15)
    - Re: OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?) Crist Clark (Feb 16)
    - Re: VPN recommendations? John Gilmore (Feb 10)
    - Re: VPN recommendations? Dave Taht (Feb 10)
    - Re: VPN recommendations? Sean Kelly (Feb 10)
  - Re: VPN recommendations? William Herrin (Feb 10)
    - Re: VPN recommendations? William Herrin (Feb 10)
    - Re: VPN recommendations? Ander Punnar (Feb 10)

(Thread continues...)