[Openswan Users] Double Encryption

Jacco de Leeuw jacco2 at dds.nl
Sat Sep 17 22:29:46 CEST 2005


Alaa Dalghan wrote:

> I have an OpenSWAN (2.3.1) box accepting ipsec tunnels from wireless 
> (802.11) clients equipped with Linux and Windows XP.
> Wireless clients are using the openswan gateway to exchange data 
> securely between each other, so there are no direct tunnels between 
> client themselves.

I don't know what you are trying to achieve with this.

> The gateway is doing the routing job fine but there is a security gap 
> when it has to decrypt data sent by a given client and then reencrypt it 
> before sending it to the ultimate destination. It may be better not to 
> expose the data in the clear at the gateway.

You want the communication between clients to be encrypted but you
don't trust the Linux server? Sorry, but in that case Linux and Openswan
are not part of the equation/problem. You should ask the Windows
'ecosystem' for help.

> I know this can be solved by using double encryption (tunnel inside a  
> tunnel), but, I wonder if  there is a better alternative?
> I was thinking of using L2TP/IPSec tunnels instead of pure IPSec 
> tunnels, and then, maybe I can use L2TP encryption to encrypt end-to-end 
> and IPSec encryption to encrypt end-to-gateway. Would this work?

No, any PPP encryption (MPPE) in L2TP/IPsec also terminates at the
Linux server so it is exactly the same as with plain IPsec and PPTP
(poptop).

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck


More information about the Users mailing list