On Fri, Feb 11, 2022 at 10:35 AM Dan Sneddon <sneddon@gmail.com> wrote:
1) IPSEC does not lend itself to dynamic routing or dynamic configuration. It is very much a static set-it-and-forget-it technology, but that doesn’t work in a dynamically changing environment.
Hi Dan, Depending on how you configure it, IPSEC can work fine with dynamic routing. The thing to understand is that IPSec has two modes: transport and tunnel. Transport is between exactly two IP addresses while tunnel expects a broader network to exist on at least one end. "Tunnel" mode is what everyone actually uses but you can deconstruct it: it's built up from transport mode + a tunnel protocol (gre or ipip I don't remember which) + implicit routing and firewalling which wreaks havoc on dynamic routing. Now, it turns out that you can instead configure IPSec in transport mode, configure the tunnel separately and leave out the implicit firewalling.
This may not apply to William Herrin’s (OP) use case of a VPN appliance
It's not relevant to my situation, no. I need the VPN to establish a statically addressed clean layer 3 on top of dynamically addressed and natted endpoints to support the next appliance in the chain where dynamic addressing is not possible. I don't actually care if it adds security; it just needs to establish that statically addressed layer. Oh yeah, and it has to be listed under "virtual private network" on the government NIAP list. https://www.niap-ccevs.org/product/PCL.cfm?ID624=34 Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/