On Jun 11, 2025, at 13:15, Deb Cooley <debcool...@gmail.com> wrote:
>
> The objective is to automate the process of establishing IPSec Transport or
> Tunnel Mode.
See the libreswan “opportunistic IPsec” feature. There should be various
recordings and slide decks available on libreswan.org/wiki and you can see the
“newoe” test cases on testing.libreswan.org. This all works with the existing
IPsec and IKEv2 protocols.
>> Stateful DHCPv6
>>
>> The IPv6 Host performs a DHCPv6 SOLICIT and include the IPSECTM option into
>> which IPSec Flag, IPSec Mode Flag, IPSec Public Key and IPSec Domain is
>> encoded.
>>
The Opportunistic Encryption model can use DNS records, certificates or even
null authentication. I don’t think hooking security into dhcp would work
better. This all works within an administrative domain (or when using DNS,
anyone who wants to)
The IPsecME tried to get a standard out for more automatic VPN establishments
between nodes of different orgs, but the WG failed to reach consensus on the
vendors proposals and the vendors were not able to come with a unified
approach. One of these was Cisco’s
autovpn feature.
The biggest problem of course with all of these are NATs. Libreswan / Linux
supports an “inside ipsec kernel NAT” feature, see the newoe “cat” test cases.
Paul
_______________________________________________
IPsec mailing list -- ipsec@ietf.org
To unsubscribe send an email to ipsec-le...@ietf.org
