Chris's Wiki :: blog/tech/IPSecConstantKeysWhy Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/IPSecConstantKeysWhy?atomcommentsDWiki2013-06-25T03:21:33ZRecent comments in Chris's Wiki :: blog/tech/IPSecConstantKeysWhy.From 87.79.78.105 on /blog/tech/IPSecConstantKeysWhytag:CSpace:blog/tech/IPSecConstantKeysWhy:ded26a219048373bf4e7b1d347d301d0b45fd66bFrom 87.79.78.105<div class="wikitext"><blockquote><p>I actively want my home machine to appear as a separate IP address on the work network</p>
</blockquote>
<p>Ah – yes, it can’t do that for you.</p>
<p>When I found it, I had an OpenVPN setup that had been fiddly to configure, even quite insecurely, and whose routing was global (when running, it would run <em>all</em> my traffic through the tunnel instead of just the traffic for IPs from that network), which I’d have needed to fix myself. But that network has all public IPs, they’re just unreachable behind a firewall – except for select IPs and ports, one of which is the shell server for students. So for me, sshuttle was just what the doctor ordered.</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2013-06-25T03:21:33ZBy Chris Siebenmann on /blog/tech/IPSecConstantKeysWhytag:CSpace:blog/tech/IPSecConstantKeysWhy:b529ca35706f8a44e713c4237d0974dadc6ad39cChris Siebenmann<div class="wikitext"><p>Based on reading the sshuttle description, I don't think it would quite
do what I want. I actively want my home machine to appear as a separate
IP address on the work network and to be reachable there (for whatever
ports I open up and so on). Still, it's an interesting program and I'm
going to have to remember it for potential future use.</p>
<p>(Pragmatically I also have my IPSec tunnel set up and working now, so
switching to anything else would take additional work.)</p>
</div>2013-06-24T17:03:03ZFrom 87.79.78.105 on /blog/tech/IPSecConstantKeysWhytag:CSpace:blog/tech/IPSecConstantKeysWhy:5284f45a414d6e8bc29ff9b007f5509198ad5963From 87.79.78.105<div class="wikitext"><p>Have you taken a look at <a href="https://github.com/apenwarr/sshuttle">sshuttle</a>?</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2013-06-23T01:42:01ZBy Chris Siebenmann on /blog/tech/IPSecConstantKeysWhytag:CSpace:blog/tech/IPSecConstantKeysWhy:2ac3d71f671f15ac4c594cc0020dd8c8f3e8e3a2Chris Siebenmann<div class="wikitext"><p>At least at the time that I set it up (and I think still now), an IPSec
tunnel was the easiest and best way to basically simulate a PPP link.
I wanted my home machine to act as if it was on the network at work
for IP in general. It also seemed like the theoretically right way to
do it (for a machine with a static IP, at least).</p>
<p>(This network presence applies only to selected network destinations
and then one gets into policy based routing and all sorts of other fun
stuff, but I would still have the policy based routing issues with any
technology.)</p>
</div>2013-06-02T18:39:41ZFrom 207.172.69.99 on /blog/tech/IPSecConstantKeysWhytag:CSpace:blog/tech/IPSecConstantKeysWhy:10f95741ebbf5e32aa4ee9582eebab130d157f16From 207.172.69.99<div class="wikitext"><p>So... why do you do this, as opposed to either an SSL VPN or SSH with tunnels (even SSH with SOCKS if you need a bunch of ports open?)</p>
<p>I know why I use IPsec -- site to site connections where each side is basically equivalent. The usual policy based routing mechanism is horrendous, and getting IKE set up once per site is usually OK, but debugging it is a nightmare.</p>
<p>-dsr-</p>
</div>2013-06-02T14:05:28Z