For comprehensive LAN encryption, IPSec demonstrates strong cross-platform compatibility:
# Linux (strongSwan example)
conn lan-encryption
authby=secret
auto=start
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
type=transportWindows clients natively support IPSec through Group Policy:
PowerShell:
New-NetIPsecRule -DisplayName "LAN Encryption" -LocalAddress Any -RemoteAddress Any
-EncryptionRequired Require -AuthenticationTransformConstants GCMAES256
-KeyModule IKEv2 -Phase1AuthSet ComputerPSKComplete traffic isolation requires layered controls:
- Network interface binding (Linux example):
ip xfrm policy flush ip xfrm state flush ip xfrm policy add dir out tmpl src 0.0.0.0/0 dst 0.0.0.0/0 proto esp mode transport ip xfrm policy add dir in tmpl src 0.0.0.0/0 dst 0.0.0.0/0 proto esp mode transport - Firewall rules to drop non-IPSec:
iptables -A INPUT ! -p esp -j DROP iptables -A OUTPUT ! -p esp -j DROP
For internal LAN communication:
| Parameter | Recommended Value |
|---|---|
| Mode | Transport (reduced overhead) |
| Protocol | ESP with GCM authentication |
| Encryption | AES-256-GCM |
| IKE Version | IKEv2 with PFS |
For internet-bound traffic, consider these architectural approaches:
- Transport Mode with Proxy:
# Squid configuration with IPSec verification acl lan_network src 192.168.1.0/24 http_access allow lan_network ipsecpolicy=authenticated - Tunnel Mode Gateway:
# strongSwan gateway config conn internet-tunnel left=gateway.lan leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 auto=route type=tunnel keyexchange=ikev2
- Deploy certificate-based authentication for better scalability than PSK
- Implement monitoring for ESP packet drops:
# Linux monitoring watch -n 1 "ip -s xfrm state" - Test compatibility with multicast traffic if needed for protocols like mDNS
For comprehensive LAN traffic encryption, IPSec support varies across platforms:
# Linux (strongSwan example)
conn lan-encrypt
authby=secret
auto=start
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
left=%defaultroute
right=%any
type=transport
leftprotoport=0
rightprotoport=0Windows Server 2022 implements similar policies through Group Policy Objects (GPOs) with AES-256 encryption, while macOS uses the native racoon daemon with configuration profiles.
IPSec can be enforced at multiple levels:
- Host-based policies (entire machine encryption)
- Network interface binding
- Firewall integration (Windows Filtering Platform or Linux netfilter)
Example Windows PowerShell command for host-level enforcement:
New-NetIPsecRule -DisplayName "Block Non-IPSec" -InboundSecurity Require -OutboundSecurity RequireTo block non-IPSec traffic:
# Linux iptables example
iptables -A INPUT -m policy --dir in --pol ipsec --strict -j ACCEPT
iptables -A INPUT -j DROPFor certificate-based authentication to prevent unauthorized IPSec traffic:
# strongSwan configuration
conn %default
leftcert=hostCert.pem
rightcert=clientCert.pem
leftid=@vpn.example.com
rightid=%any
auto=addFor intra-LAN communication, ESP with authentication in transport mode provides optimal performance:
# ESP configuration parameters
esp_proposals=aes256-sha256-modp2048
ike_proposals=aes256-sha256-modp2048This combines confidentiality (AES-256) with integrity protection (SHA-256) without the overhead of AH.
For internet-bound traffic, consider these approaches:
Tunnel Mode to Gateway
conn internet-tunnel
left=192.168.1.1
leftsubnet=0.0.0.0/0
right=internet-gw
rightsubnet=0.0.0.0/0
type=tunnel
auto=startTransport Mode with Proxy
Requires explicit proxy configuration on clients:
conn internet-transport
left=%any
right=proxy-server
type=transport
leftprotoport=tcp/3128
rightprotoport=tcp/3128- Performance impact on latency-sensitive applications
- Multicast/broadcast traffic handling limitations
- ICMP message filtering requirements
- DHCP and other bootstrap protocol considerations
# Multicast exception example
conn multicast-exception
left=%any
right=%any
type=passthrough
auto=route