IPSec VS tinc VPN about ansible-ipsec HOT 4 CLOSED

@NielsKSchjoedt my main reservation against using Tinc is that it's a typical home-baked VPN solution without much cryptographic audit and had suffered cryptographic issues in the past. IPSec on the other hand is a protocol with over 20 years of thorough auditing and core design by NSA folks. I have not performed any performance measurements on the IPSec setup but the Linux implementation is highly optimized, works at kernel level and the packet size overhead is minimal.

from ansible-ipsec.

Really nice of you to give me an answer. That's very much appreciated! One thing I have a hard time wrapping my head around is how IPsec differs from a VPN solution in connection to local vs public IP's. For my current tinc setup it creates a local network between the servers with IP's in ranges of 10.0.0.1-50, which I then conveniently have given each host a name in /etc/hosts. This makes it easy for me to know, that as long as I am communicating on those local IP's (and not the public ones of the servers), my traffic is secure. It also makes it easy to setup e.g. my databases to ONLY listen on those local IP's/hostnames and not the public ones. Am I getting it wrong, or is IPsec different on this part? I would have to bind my services to the public IP's of the servers right? And then "trust" that IPsec is kicking in correctly between the servers? Or can I setup a private network for IPsec as well? Sorry, but I'm a bit noob here :-)

from ansible-ipsec.

@NielsKSchjoedt IPSec can work in tunnel mode, which is similar to VPN, and transport mode, which is much better suited for server-to-server scenarios as we're discussing here. In transport mode the packets are encrypted without any tunneling or address changes - for example, if you have appserver 8.8.8.8 talking to database at 8.8.4.4 over TCP you will see packets being sent from 8.8.8.8 to 8.8.4.4, but they will be ESP (IPSec) packets. What should be encrypted and where is matter of setting simple SPD rule (e.g. all packets 8.8.8.8->8.8.4.4 must be encrypted). I'm using public IPs in this example intentionally, to show that you get a very simple and clear architecture here - this is what I like with IPSec most.

You can also set up IPSec in tunnel mode, in which it will work as a VPN - so you've got app server and database on private IPs, and these are tunneled in an IPSec tunnel with public addresses, so pretty much as you Tinc tunnel works now. But over years I found that each another layer of re-addressing causes more potential issues and this is the second reason why I like IPSec.

from ansible-ipsec.

@NielsKSchjoedt Yet another reason to avoid tinc :) https://security-tracker.debian.org/tracker/source-package/tinc

from ansible-ipsec.