(This page is used to prepare longer edits and wiki style try-out.)
IPsec is an encryption and authentication standard that can be used to build secure Virtual Private Networks (VPNs). It was standardized in RFC4301 to enhance the TCP/IP internet protocol for its missing features regarding confidentiality and authentication of the communication. IPsec was originally destined as a mandatory component for IPv6 compliant network-stack implementations, but later that requirement was dropped to a recommendation.
It is natively supported by the Linux kernel, but configuration of encryption keys is left to the user. The IKE protocols are therefore used in IPsec VPNs to automatically negotiate key exchanges securely using a variety of means, including certificates, pre-shared keys or both. They are typically implemented in userspace daemons on the server side.
The IPsec standard is modular, i.e. it standardizes optional and obligatory methods to be supported by complicant IPsec implementations. Which of the modules is then used, depends on the use case. The most regular use case was to use IPsec as a drop-in replacement for PPTP connections, since the PPTP protocol turned inherently insecure.
IPsec can be used in different operation modes:
- Tunnel mode
- In tunnel mode, IPsec is used to create a tunnel through a public network to securely connect networks at the link layer of the connection, i.e. the same layer as ethernet or PPP connections. A common variant of its tunnel mode is L2TP/IPsec (w:Layer 2 Tunneling Protocol).
- Transport mode
- In transport mode, IPsec is applied to the same layer as TCP/IP, adding authentication and confidentiality to the network connection between two hosts.
So, the choice of mode is easy and can be reduced to whether one wants to use IPsec to enable communications between more than two hosts. Following that, it is far less easy to choose the wanted features for the IPsec set up, as the modular nature of the standard has resulted in a wide array of choices. See w:IPsec#Standards Track for the related RFCs.
Different IPsec implementations are available for Arch Linux. Please refer to the respective how-to articles to make a choice:
- strongSwan describes how to set up an IPsec server in tunnel and transport mode for the AUR implementation.
- L2TP/IPsec VPN client setup contains instructions how to configure (L2TP) and AUR (IPsec) to connect a client to an existing server.
- libreswan has basic instructions for the AUR implementation.