I wonder if there is a way to use ipsec, inbetween tunnel and transfer mode.
Maybe I should try to make clear what I mean: Let's assume we have a network A with clientA and gatewayA and a network B with clientB and gatewayB.
If I use ipsec in tunnel mode between the gateways, a message from clientA to clientB would go first to gatewayA. There it gets encrypted completely (including the IP-headers), resulting in a new package, which has gatewayA as sender, and gatewayB as recipient. GatewayB recieves the package, decrypts it and sends the original package to clientB. The clients have no idea, that the transmission was encrypted.
In transfer-mode, clientA is the one to encrypt the package-content, the package travels to clientB and gets decrypted there. The clients know about the encryption, the gateways know nothing about the contents.
What I'm looking for is something like the following:
ClientA sends a normal, unencrypted package. GatewayA sees the package and recognizes, that the recipient is in the network of gatewayB (similar to tunnel-mode). It encrypts the content of the package and sends it to gatewayB (but only the content! The IP-header stays the same, it still shows clientA as sender and clientB as recipient, and there is no additional IP-header inside of the encrypted content). GatewayB sees that the package comes from gatewayA and decrypts the content, sending it to clientB.
Even though the clients still don't see, that its an encrypted transmission, the advantage over the tunnel-mode would be, that we save the unnecessary overhead of sending an additional (encrypted) ip-header with every package. Advantage over the transfer-mode is, that the gateways do the encryption and we only need to exchange the keys for the gateways.
Is something like this possible with IPSEC, and if it is: How is it called (so what do I have to google for, to get some configuration examples)?
BTW, of course I'm assuming, that each device has a globally unique and reachable address (like IPv6).
Get latest updates about Open Source Projects, Conferences and News.