paulgorman.org

< ^ txt

Fri Oct 26 07:46:56 EDT 2018 Slept from eleven to seven. Woke briefly around five. High of fifty-two and cloudy today. Work: - VPN stuff Done. https://tools.ietf.org/html/rfc4301 https://tools.ietf.org/html/rfc2401 > There are two nominal databases in this model: the Security Policy Database and the Security Association Database. The former specifies the policies that determine the disposition of all IP traffic inbound or outbound from a host, security gateway, or BITS or BITW IPsec implementation. The latter database contains parameters that are associated with each (active) security association. This section also defines the concept of a Selector, a set of IP and upper layer protocol field values that is used by the Security Policy Database to map traffic to a policy, i.e., an SA (or SA bundle). > > Each interface for which IPsec is enabled requires nominally separate inbound vs. outbound databases (SAD and SPD), because of the directionality of many of the fields that are used as selectors. Typically there is just one such interface, for a host or security gateway (SG). Note that an SG would always have at least 2 interfaces, but the "internal" one to the corporate net, usually would not have IPsec enabled and so only one pair of SADs and one pair of SPDs would be needed. On the other hand, if a host had multiple interfaces or an SG had multiple external interfaces, it might be necessary to have separate SAD and SPD pairs for each interface. https://wiki.strongswan.org/projects/strongswan/wiki/IntroductiontostrongSwan > strongSwan is basically a keying daemon […] strongSwan installs the negotiated IPsec SAs and SPs into the kernel by using a platform dependent kernel API. The actual IPsec traffic is not handled by strongSwan but instead by the network and IPsec stack of the operating system kernel. https://forum.netgate.com/topic/99411/ipsec-failover-using-gateway-group/5 > The best way to configure failover with IPsec is to set up GRE tunnels within IPsec (which itself is going to be configured in transport mode), so that you have one active tunnel between each IP, always active. With this setup, the routing is not handled anymore by the SAs but by regular routing table entries. > > Then you can use OSPF (or some other routing protocol) to handle the routing when something goes down. Half-hour walk at lunch. Walked down Farmbrook a little ways. Saw a cardinal and a doe. Home: Watched a couple episodes of the new Netflix Sabrina series, which looks like good, Buffy-like fun. Servings: grains 9/6, fruit 3/4, vegetables 4/4, dairy 7/2, meat 4/3, nuts 1/0.5 Breakfast: carrots, orange, tomato, oat meal with peanut butter, banana, skim milk, coffee Lunch: peanut butter toast, tomato, apple, coffee Dinner: pizza 144/87

< ^ txt