Re: VPN recommendations?

[Nathan Angelacos <nangel () tetrasec net>]

On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and 
> > tunnel. Transport is between exactly two IP addresses while tunnel 
> > expects a broader network to exist on at least one end.
>
> That is (syntactically) correct.  However, it is possible to NAT many
> LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO
> ISP) 
> and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees
> exactly two IPs.
>
> > "Tunnel" mode is what everyone actually uses
>
> I may be enough of an outlier that I'm a statistical anomaly.  But
> I'm using IPSec /Transport/ Mode between my home router and my VPSs. 
> I have a tiny full mesh of IPSec /Transport/ Mode connections.

+1 on *cough* enterprise networks.

> Using the aforementioned many-to-one NAT, my home LAN systems access
> the single globally routed IP of each of my VPSs without any problem.

+1

> Aside:  I did have to tweak MTU for LAN traffic going out to the VPS
> IPs.

+1

> So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
> /Transport/ Mode 

+1