Guide to IPSec?

[XXD]

I've searched on the forums, gentoo-wiki and also google for a good howto on using ipsec on Gentoo. But I can't seem to find any. Do you guys know of any good guide to using IPSec on machines on a LAN? I would sure like to hear about it.

If there aren't any good guides available, do you have any suggestions or tips on where to start?

Would really appreciate any help.
Thanks.
XXD

[Casper Gasper]

Well, never tried this myself with linux let alone Gentoo, but...

The first thing you need to decide is whether to use the KAME IPSec implementation built-in to the 2.6 kernels, or the Free/OpenSwan implementation which works with 2.4. You say you'll be using this on a LAN? In which case ESP transport mode is probably what you want. If you haven't already found it, this HOWTO is probably a good place to start:
http://www.ipsec-howto.org/t1.html

hth,

Casper.

[XXD]

Thanks Casper. I'm reading up on that site. I want to set up IPSec on a LAN with both Gentoo and WinXP machines. And I would also want receive tunnelled SSH and RDP connections from the internet into the LAN.

It seems the site you mentioned only has details for 2.6 kernel.

[Casper Gasper]

Yep, that's because KAME is only in 2.6, AFAIK. If you want to use 2.4 you'll have to use the Free/OpenSwan implementation -- I think you'll have to patch the kernel, although it is included with gentoo server sources.
Ignore AH, as it only provides authentication and not encryption, so it's basically useless for network level stuff. ESP provides both encryption and authentication.
Something you'll need to decide on is whether you can use pre-shared keys (the simplest option) or certificates for authenticating other parties. And, if you want to connect from NAT-ed devices, you'll need an IPSec implementation (and routers) that support NAT-Traversal, or UDP 500 encapsulation as it's also called.
Sorry I can't give you any more help on specifics -- IPSec is truly complex stuff.

Casper.