Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: tech-net%NetBSD.org@localhost
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Thu, 20 Oct 2022 10:40:43 -0400 (EDT)

> In the end I went with l2tp(4) over OpenVPN over tor.
> [passes multicast but not other broadcast]

> Any thoughts / ideas on this would help.

I don't know l2tp.  But I do know that I routinely use something I
built that is essentially Ethernet-over-TCP: on each end, there is a
machine with a bridge(4) between the real Ethernet and a tap(4)
instance, and there's a program on each end that takes packets from
tap, encrypts them, and pushes them over a TCP connection.  The other
end then decrypts and writes them to its tap instance.

This works well enough for my use case, and in my experience passes
broadcasts (for example, ARP works fine over it).  The crypto is
probably mediocre at best[%], but it is good enough for my use cases.

So, it certainly _can_ work.

[%] As a cryptographer I'm strictly a dilettante - I use solid
algorithms, such as Rijndael, but I may be using them incorrectly
and/or my implementations may have sidechannel flaws.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.

Prev by Date: Re: can the IPv[4,6]-in-IPCOMP-in-{ESP,AH}-in-IPv[4,6] interop fix be applied to NetBSD 10?
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index