IPSec, is it possible?

Justin Krejci jus at krytosvirus.com
Tue Oct 10 06:37:39 PDT 2006 

On Saturday 07 October 2006 15:33, MK wrote:
> Firstly, thank you for your reply..
>
> > In this case, no worry about NAT, and IPsec, since no NAT is involved
> > somewhere in the tunnel, which ends at the gateway. Anyway, even if it
> > was, isakmpd can do NAT-traversal since 3.6
> > [http://www.openbsd.org/36.html].
> >
> > Since you do not give us information about your computer, I won't
> > suggest any particular product, but I'd suggest two technos : IPsec, and
> > SSL VPNs.
>
> I have Windows XP SP2 installed, IPsec should not be problem.
>
> >> I can not use IP address of intranet OpenBSD interface because the
> >> traffic
> >> will be directed to the internet hence this rule will not take place and
> >> encrypt my traffic. Maybe I could use some proxy on OpenBSD but I wanted
> >> to
> >> avoid similar solution.
> >
> > Don't understand what you mean.
>
> I was considered following situation. Let's say that interface on OpenBSD
> gateway which leads to LAN has IP address 192.168.0.1 and my PC has
> 192.168.0.2. For my PC is gateway on 192.168.0.1 and if I create IPsec
> tunnel between 192.168.0.1 and 192.168.0.2 only the traffic between these
> two points will be encrypted at least I think. In case I will want to
> access the internet from my PC the destination won't be address 192.168.0.1
> but IP of the server placed in internet.
> In this case the traffic will not be encrypted, am I right or am I still
> missing something. My questions are maybe a little bit stupid but I'm not
> experienced with IPsec very much.
>
> > HTH.
>
> Thanks MK

No, what you are looking to do is not possible in the way you are thinking. As 
the others have pointed out it is possible to encrypt the traffic between 
your client and your openbsd gateway but that does nothing once the traffic 
goes beyond your gateway, it will all be unencrypted. Now, some websites 
support SSL which will encrypt just your HTTP/Web traffic to/from that site, 
but in general websites do not use this without a considerable need such as 
when passing credit card information or other very sensitive information. The 
reason is that it creates extra processing and RAM overhead to handle 
encrypting and decrypting all of the traffic to every single client web 
browser. Other traffic such as email traffic like POP3, IMAP, and SMTP can 
support SSL/TLS encryption but again it is all dependant on the server 
supporting it. If it does support it, you can go ahead and use it.

Now all that being said there are other techniques to help hide your net 
activities such as Tor (http://tor.eff.org/) or things like an anonymous 
proxy that supports SSL on the internet. Lots of protocols/technologies are 
starting to include encryption like Bit Torrent and others but by in large 
I'd say the majority of regular internet traffic is not encrypted.

This is basically completely unrelated to OpenBSD specifically and more 
broadly covers internet and computer security in general.

More information about the Openbsd-newbies mailing list