Questions tagged [ipsec]

IPsec is a protocol suite on the same level as ipv4 and ipv6 that provides confidentiality and authentication of each IP packet. It that was originally designed for ipv6 and then back-ported to legacy IP (IPv4). Since the Internet Protocol is a network-layer protocol, IPsec is used mostly for Virtual Private Networks (vpn).

IPsec has many similarities to ssl: It protect data only in transit, and the secure channel is established using symmetric cryptographic algorithms. The key exchange is guarded by public-key-authentication although the key exchange is strictly speaking not part of the IPsec specification. The key exchange is specified on its own and is known as Internet Key Exchange (IKE). Like SSL, IKE uses x509 certificates to establish a trusted key exchange. Unlike to SSL, keys for IPsec can also be distributed manually although that doesn't scale well and is error prone, and therefore this is rarely an option.

A striking difference between IPsec and SSL/TLS is that IPsec is dealt with by the kernel, so IPsec is transparent to applications - at least that's the idea. SSL on the other hand is at the responsibility of the application. Another difference is that an IPsec security association (the IPsec term for the secure channel) is a simplex channel (i.e. only one-way) - for full duplex secure communication with IPsec two security associations must be established.

IPsec can be used in several modes. Originally there were just tunnel mode, where entire IP packets were encapsulated in containing IP packets, and transport mode, which operated on the original IP packets. In addition, there are two options to protect data:

Authentication Header (AH) is used for integrity protection
Encapsulating Security Payload (ESP) is used for confidentiality protection and optionally for payload integrity protection.

A typical setup for VPNs is IPsec in tunnel mode with ESP with authentication.

The design of IPsec is said to be overly complex (see Ferguson and Schneier). As a matter of fact, IPsec was felt to be so troublesome and hard to manage that alternatives like openvpn were developed, which use SSL/TLS as base technology.

123 questions

votes

3 answers

What is the IPsec bottleneck in Linux?

I am trying to compare the performance of several network security protocols between two hosts connected in Gigabit Ethernet. My goal here is to see if I can saturate my bandwidth, and if not, what is the limiting factor. with SSL, I can reach 981…

performance bandwidth ipsec

asked Mar 25 '15 at 10:25

Tim

votes

5 answers

Openswan connecting to multiple right subnets not working

I'm trying to use Openswan (version 2.6.37) to connect an IPsec VPN from my local network to a remote site. Everything works fine when I just want to connect to a single subnet on the remote site. However, the remote site also has an extra subnet…

networking vpn ipsec

asked Jan 02 '13 at 15:50

FixMaker

votes

1 answer

Strongswan: several right subnets

I have a Strongswan installation on CentOS7 connecting to a Palo Alto router. I have no access to the config on the remote router. I want to configure two subnets on the other side - one is only a single IP. I have this config in ipsec.conf: conn…

ipsec strongswan

asked Mar 15 '17 at 18:58

Peter

votes

1 answer

IPsec VPN with strongSwan to FortiGate

I'm trying to connect to a FortiGate and access our continuous integration server via an IPsec VPN tunnel. I have no control over the FortiGate's configuration. On my laptop running Windows 10, I successfully used FortiClient to reach the…

vpn ipsec strongswan

asked Feb 14 '18 at 15:47

Matthias Braun

7,797
7
45
54

votes

1 answer

What do I need to add a virtual IPsec adapter?

I'm trying to set up an IPsec connection manually from the console with iproute2. What I need is a virtual interface (at best, a virtual IP address could also be sufficient) that IPsec-transforms everthing ingressing (ESP/TUNNEL MODE) and hands it…

command-line networking routing ipsec iproute

asked Dec 05 '13 at 17:56

Marste

votes

1 answer

NAT outbound IPSEC packets using pf on FreeBSD 11 and StrongSwan x FortiGATE

I've been working for more than a week trying to get outbound packets nat'ed to fit a Security Association. This is my (example) scenario: LAN: 1.1.1.0/24 FreeBSD interface: xn0 (Amazon EC2 instance) Virtual Address to nat traffic from:…

freebsd ipsec pf strongswan

asked Jul 22 '18 at 22:46

Tiago Sampaio

votes

2 answers

IPSec/L2TP VPN connection fails

I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below): 11:46:26 laptop NetworkManager[911]: received…

networkmanager vpn ipsec l2tp

asked Oct 20 '17 at 10:33

user2900170

votes

2 answers

IPSec over L2TP: received NO_PROPOSAL_CHOSEN error notify

Environment: # uname -a Linux shrimpwagon 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux I have already installed: # apt-get install strongswan xl2tpd I'm trying to connect to a Meraki VPN. I spoke to a Meraki tech and…

networking vpn ipsec openswan xl2tpd

asked Apr 04 '17 at 12:02

shrimpwagon

votes

0 answers

Apparmor: does complain mode enable capability dac_override?

I'm trying to adjust an AppArmor profile after I found some guidance that it should be disabled for my use-case (not too happy running an IPSec daemon naked). So I've tried to put it in complain mode and this fixed the issue, but without actually…

ipsec apparmor

asked Aug 10 '16 at 20:14

sxc731

votes

1 answer

How to fix this eth0 and eth1, where traffic going out via eth0 is failing?

I have two public IPs. One's connected to eth0 and one to eth1, from 2 separate routers as complete DMZ towards the LAN IP. I added this following: ip rule add from 10.0.0.108/32 table 1 # outbound ip rule add to 10.0.0.108/32 table 1 # inbound ip…

networking ssh vpn openvpn ipsec

asked Jul 31 '13 at 10:33

user11085

votes

1 answer

ipsec auto --status fails in cronjob

I have a server monitoring script which, among other things, checks the state of an IPSec tunnel using ipsec auto --status It works like a charm when run from the console (as root) but as soon as I run it from a (root) cronjob, the command fails:…

centos cron ipsec

asked May 09 '12 at 16:24

Serge Wautier

votes

0 answers

IPSec end-point sends ICMP "unreachable; frag needed" messages while it's not routing

I have a simple site-to-site IPSec VPN where "server-A" is connected to a "fw-A" over an IPSec tunnel. In front of "server-A" there is a switch with has a 1500 byte MTU interface facing the server. Sometimes clients behind "fw-A" send large packets…

ipsec

asked Feb 08 '17 at 16:47

Martin

7,284
40
125
208

votes

1 answer

Why use strongswan rather than native vpn support

As far as I understand, FreeBSD comes with the native ability to make vpn connections. Ist strongswan a package, that comes on top of the freebsd ipsec stack or is it a replacement?

freebsd ipsec strongswan

asked Dec 26 '16 at 11:08

user207225

votes

1 answer

strongSwan - gives error "no known IPsec stack detected, ignoring!"

I'm trying to connect to my university's VPN using strongSwan on Arch Linux. They have given example ipsec.conf and ipsec.secrets files and I've installed strongSwan from the AUR. As far as I'm aware, I just need to run ipsec up UNI, where "UNI" is…

vpn ipsec

asked Oct 17 '16 at 18:46

thosphor

votes

1 answer

ipsec rightsubnet to wide, cannot override routing table | IPSec route some packets 'locally', not via tunnel; ip xfrm change?

I'd like to override part of the (IPSec) routing table (routing to 10.108.0.0/16 locally via eth0, not via IPSec tunnel) my IPSEC config conn vpc type=tunnel authby=secret left=172.16.0.200 leftid=x.x.x.x …

route ipsec openswan

asked Mar 15 '16 at 11:14

sirkubax

2 3

…

8 9 Next