I have been using transport-mode IPsec for years, with racoon with psk
or with certificates, to protect traffic for an unusual remote
filesystem that lacks adequate native security. I have also been using
tunnel-mode in a normal VPN situation. All of this has been with the
KAME-derived IPsec implementation ("options IPSEC").
I've run this on i386 and sparc64, with no real problems.
The documentation seems adequate for those who are familiar with the
standards. I have not looked at from the point of view of someone who
doesn't really understand IPsec to start with.
Certificate handling in racoon is messy. Part of this is that there's
no clear plan (in the wider world) for what kind of certificate one
should have to allow which kind of IPsec SA to be instantiated.
The other issue is that I am not clear on if there is adequate support
dynamic-remote-peer VPN (road warrior type, vs site-site), which often
involves provisioning a private/internal address for the remote host to
use inside a tunnel.
Attachment:
pgpOD8CuqD9fv.pgp
Description: PGP signature