Hi Dima,I just wanted to drop you a line and thank you again for your reply. It definitely helped me to understand IPSEC better. Unfortunately - or how you take it - fortunately there was another change in the framework conditions for my project, which means OpenVPN is back in the running. If that remains the case, I would suspend the IPSEC topic for the time being. I would still like to try it out for my own infrastructure and continue accordingly when the opportunity arises. I hope this will be before the start of autumn.
Many greetings Matthias Am 10.06.21 um 15:41 schrieb Dima Veselov:
On Thu, Jun 10, 2021 at 02:41:23PM +0200, Matthias Petermann wrote:First of all you forgot to build (or to mention) ipsec tunnel specificationwhich usually is set in /etc/ipsec.conf. Tunnel specification includes external addresses, internal addresses and protocols. Most of firewalls will not answer if offered tunnel specification is not expected.You are absolutely right - I completely ignored that part. And now I think I understand that it is essential. That is, if I have not misunderstood, Racoon in its role as key manager does nothing other than distribute the keys between the hosts and configure IPSec via setkey so that the traffic is encrypted with these keys?Yes, that's right, IPSEC is fast symmetric packet encryption done by the kernel, racoon does high security non-symmetric key exchange and encryption (ISAKMP or IKE) to keep IPSEC keys safe. This combination make ISAKMP/IPSEC fast and safe on all stages.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature