1

How one encrypts traffic in wired LAN segment?

Can IPv6 in combination with IPSec be configured for IKE/ISAKMP authentication?

OR

Will I drown in configuring appropriate IKE host-to-host rules for the ISAKMP?

OR

Should I look towards 802.1X-2010 which according to Wikipedia supports "service identification and optional point to point encryption over the local LAN segment"?

Let's say my LAN segment consists mostly of Windows 7 and higher PCs, few FreeBSD VMs. Switches are moderately modern DLINKs, routers are from Mikrotik.

Citizen
  • 1,102
P. D
  • 11

1 Answers1

3

You can go all-IPSec, no need for IPv6 necessarily. Obviously there will be some management required, all hosts need to have the IPSec rules. In a pure Windows/AD environment, it's almost easy; the GPOs for server<->client IPSec are all available to use, and generally clients don't talk to each other. Exceptions can include SIP traffic of course, or any other P2P chat protocol.

If you just implement 802.1x, you're implicitly trusting your now-authorized-and-authenticated endpoints, which could still sniff traffic.

mfinni
  • 36,892