Penguin
Recent Changes
Diff: IPSecConfiguration
EditPageHistoryDiffInfoLikePages

Differences between version 3 and previous revision of IPSecConfiguration.

Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History

Newer page: version 3 Last edited on Wednesday, April 23, 2003 1:53:25 pm by PerryLorier Revert
Older page: version 2 Last edited on Wednesday, April 23, 2003 11:33:34 am by JeeKay Revert
@@ -2,12 +2,12 @@
  
 There are two major types of IPSec configurations. You will need to decide which one you will be using. 
 ---- 
 !Transport 
-Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. 
+Transport mode signifies host-to-host encryption. This is typically used if you have, for example, a server somewhere you would like to communicate securely with. Only the link between the two hosts is encrypted and there is typically no routing enabled on either machine. This is the mode I was using when writing this page. This is also sometimes known as "Bump in the stack" mode
  
 !Tunnel 
-Tunnel mode generally signifies net-to-net encryption, and is what is known as a classic VPN. Here, you have two disparate networks wanting to communicate with each other over an insecure medium (normally the internet). Essentially, the two gateways to either network want to encrypt all communications between them, and route any traffic from their local network across that link to the other network. This mode is also normally used for "road warrior" type communications where a single mobile computer (the road warrior) needs to connect to and access a corporate network, again over an insecure medium. 
+Tunnel mode generally signifies net-to-net encryption, and is what is known as a classic VPN. Here, you have two disparate networks wanting to communicate with each other over an insecure medium (normally the internet). Essentially, the two gateways to either network want to encrypt all communications between them, and route any traffic from their local network across that link to the other network. This mode is also normally used for "road warrior" type communications where a single mobile computer (the road warrior) needs to connect to and access a corporate network, again over an insecure medium. This is also sometimes known as "Bump in the wire"
 ---- 
 Got all that? Excellent! Now, on to the mystical ways of server authentication. 
  
 FreeS/WAN by default supports two types of authentication - Pre Shared Keys (PSK) or RSA Keys. PSK is the easiest and quickest way of setting up both hosts, but then you have all the usual problems of key distribution. If the PSK is compromised, the link is also compromised as it becomes trivial to set up a man-in-the-middle style attack. Using RSA keys is much more secure, as the public key can be transferred over the wire without fear.