IPSec for LAN traffic: Basic considerations?
- by chris_l
This is a follow-up to my Encrypting absolutely everything... question.
Important: This is not about the more usual IPSec setup, where you want to encrypt traffic between two LANs.
My basic goal is to encrypt all traffic within a small company's LAN. One solution could be IPSec. I have just started to learn about IPSec, and before I decide on using it and dive in more deeply, I'd like to get an overview of how this could look like.
Is there good cross-platform support? It must work on Linux, MacOS X and Windows clients, Linux servers, and it shouldn't require expensive network hardware.
Can I enable IPSec for an entire machine (so there can be no other traffic incoming/outgoing), or for a network interface, or is it determined by firewall settings for individual ports/...?
Can I easily ban non-IPSec IP packets? And also "Mallory's evil" IPSec traffic that is signed by some key, but not ours? My ideal conception is to make it impossible to have any such IP traffic on the LAN.
For LAN-internal traffic: I would choose "ESP with authentication (no AH)", AES-256, in "Transport mode". Is this a reasonable decision?
For LAN-Internet traffic: How would it work with the internet gateway? Would I use
"Tunnel mode" to create an IPSec tunnel from each machine to the gateway? Or could I also use
"Transport mode" to the gateway? The reason I ask is, that the gateway would have to be able to decrypt packages coming from the LAN, so it will need the keys to do that. Is that possible, if the destination address isn't the gateway's address? Or would I have to use a proxy in this case?
Is there anything else I should consider?
I really just need a quick overview of these things, not very detailed instructions.