[NTLUG:Discuss] Encrypted network traffic on a local network

Dennis Rice dennis at dearroz.com
Thu Jul 5 14:13:04 CDT 2007 

----------------------
On 5 July Leroy Tennison said:
Have been testing ipsec-tools and realized that it is for either
host-to-host encryption or an encrypted tunnel between two  networks.
Is there a way to have data transmissions between all hosts on a given
network encrypted?  To do this with IPSec it appears that you would have
to set up host-to-host SAs for every combination of source and
destination host.
----------------------

Leroy,
Although I have not yet gotten to the stage of playing around with the 
problem yet as you have, there are a few requirements that need to be 
set up.

First, to use IPSec, a VPN is set up between two agents.  The next 
question, who are the agents.  Naturally, the agents can be the end 
hosts, but this will require a separate encryption key for every link - 
5 hosts means 10 different keys to allow everyone to talk to everyone 
else in an encrypted mode.  This provides total encryption of the 
message, even on the local network.  Difficult to manage but doable on a 
small network.

The next step is to set up a gateway / router to perform the encryption 
between LANs.  This is important in that transmitting a file from a user 
host to the VPN gateway will still be in clear-text, but the file 
between VPN gateways will be encrypted.  In this situation, the VPN is 
established between the two Gateways, hence only one public key set must 
be managed (much easier).  Note that this is the system gateway, all 
user hosts have to be pointed to this system as the default gateway.  If 
a VPN link is not available to the remote location, then the gateway 
will just forward the message unencrypted.  If this gateway is still 
inside of the network and has another gateway to go through, then it 
will forward accordingly (set up a static route from the VPN gateway to 
the Internet router).

If a user host continues to point to the Internet router, there will be 
no way for the data to be encrypted, the user host default gateway must 
be the VPN gateway.

Unfortunately, I have not yet gotten to the stage of setting up a VPN on 
Linux, but I am looking forward to it.  Would always look forward to 
your assistance for documenting and putting into my book.

Dennis

More information about the Discuss mailing list