First page Back Continue Last page Overview Text

Notes:


FreeS/WAN IPSEC stack:
- kernel patch (KLIPS) and utilities (PLUTO etc.)
- probably the cheapiest way to do quickly and with limited budget an IPSEC gateway connecting two networks, tested it and it worked
- with X.509 certificate support works with SSH Sentinel very nicely and has interoperability configurations against several other VPN boxes available in the web
- often these interoperability configurationshowever fall back to pre-shared key authentication which is not scalable
- AES or Blowfish encryption algorithms would be faster
- problems start when certificate or other large scale management, scalability (SMP, multiple VPN terminators), throughput and uncommon routing like 0.0.0.0/0 is needed
- a lot of manual tuning needed

International Crypto API for GNU/Linux:
- a file, patched mount (util-linux-package) is needed, no kernel patch needed nowadays
- tested and works very nicely when used to encrypt /home on laptop, the performance loss is not noticeable (at least to author)
- several different encryption choices possible (Mars, AES, Blowfish, Twofish)
- unfortunately cannot encrypt swap, root or whole disk, which creates a possible security vulnerability
– often /home is enough and its possible to secure the loopback file so that if its transferred to different place on disk or on another disk, it's not possible to decrypt the data anymore