Linux IPSec Transport Mode with just AH
https://stackoverflow.com/questions/11320071
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I am planning to host my web-app infrastructure with a Public VPS provider. As the VPS host's private network is accessible by all the VPSs hosted with him and as many of the infrastructure components do not have any sort of access control/auth, I need to isolate my VPSs from those of others and let only my VPSs connect between themselves. I also need this to be done transparently with as less over head as possible. I dont need privacy and encryption.
I figured out that IPsec with just AH and shared secret can do this but I want such a setup to work with any number of Hosts/VPSs. I do not want to define shared-secret for every possible pair in the virtual network and my virtual network should extend to all VPSs/Hosts that know the shared secret.
Can this done with the current IPSec implementation in Linux Kernel?
Any links to tutorials / How-tos on the web can be really helpful!!
Solución
Please take a look on ESP in transport mode since AH is not recommended and may not be supported by modern implementations.
You may use ESP with authentication only and NULL encryption, to be similar to AH.
- http://www.unixwiz.net/techtips/iguide-ipsec.html
- http://www.networksorcery.com/enp/protocol/esp.htm
To establish IPSec configuration you may take a look at IPSec-tools: http://ipsec-tools.sourceforge.net/ - you will use "setkey" command to play with SAD and SPD:
"-E null" (RFC 2410) will give you null encryption. With "-A please" set desired authentication. You may specify range policies to cover all incoming and outgoing traffic.
