Site Navigation

Date:      Wed, 27 Aug 2003 08:45:23 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        "Oldach, Helge" <Helge.Oldach@atosorigin.com>
Cc:        hilman firmansyah <hilman@nap.net.id>
Subject:   Re: Gif IPTunnel networkA-to-networkB not work
Message-ID:  <3F4CD213.40306@isi.edu>
In-Reply-To: <D2CFC58E0F8CB443B54BE72201E8916EF41A70@dehhx005.hbg.de.int.atosorigin.com>
References:  <D2CFC58E0F8CB443B54BE72201E8916EF41A70@dehhx005.hbg.de.int.atosorigin.com>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]
Oldach, Helge wrote:
> 
> You must have the networks connected (on the public side), but when 
> using IPSec your gif tunnel won't really be used. It is just sort of 
> a "placeholder" to get the routing correct.

It is not a good idea to use gifs in parallel with IPsec tunnel mode.,
to do this routing trick. Please see the "options FAST_IPSEC & tunnels"
thread on net@ from circa 4/1/2003.

Basically, that approach creates two parallel virtual topologies, one
out of IPIP tunnels, and one out of IPsec tunnel mode SAs. People often
do this, because they want to route traffic into an IPsec tunnel, and
the SA itself doesn't have a route entry, since they aren't devices.
When using IPIP tunnels with tunnel mode, they abuse the route created
by the gif device for routing, but packets will be hijacked by the
tunnel mode SA, so they never actually enter gif processing (IPsec does
the IPIP encapsulation internally.)

Using IPIP tunnels with transport mode is valid, since packets will
actually flow through the gif device, and get IPsec'ed after they are
IPIP encapsulated. (In multihop topologies, they'll then need to be IPIP
encapsulated again - the virtual network needs both virtual link and
network layers.)

It doesn't give you the full expressiveness of IPsec selectors, but it's
good enough for many VPN schemes (and routing works!)

See
ftp://ftp.rfc-editor.org/internet-drafts/draft-touch-ipsec-vpn-05.txt.
It is currently under in the IESG timeout before going to Informational.

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��	�0�80���
fEr��t��cvE��.�
0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��



��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i

�N0L0)U"0 �010UPrivateLabel1-2970U

�0

�
0U
0
	*�H��


��1�KG]�
q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�����bb��0�90���

vo0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
030801172929Z
040731172929Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0�
"0
	*�H��



�
0�

�

��>�ן~��H(�Ԣ��GV�
׆־��25��B�03�ݰ�����ת^RI�H���=���%J�
�����kA^R)��yH80P���~qrU|��c~�\;����ҋ^哪
��!����֍��&��d�@C�d"O��"f�$F�r�Ge�|�r<z"��%����h+�Z`��3<�}̘������}�9��ʮcnb�6��R�����X ٫�e~�X��g��K�����7,�ì�E��YU?

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


��5��Kkt��[@��jj�:Fg�	�Xj��(��8��y���Po�!�}����)�5��M[�	ش]w�ʼnQ�d!��G�y���F���Ri�K�d!8h���\7γSD�`a�[q��iY��+Gqn���?!�0�90���

vo0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
030801172929Z
040731172929Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0�
"0
	*�H��



�
0�

�

��>�ן~��H(�Ԣ��GV�
׆־��25��B�03�ݰ�����ת^RI�H���=���%J�
�����kA^R)��yH80P���~qrU|��c~�\;����ҋ^哪
��!����֍��&��d�@C�d"O��"f�$F�r�Ge�|�r<z"��%����h+�Z`��3<�}̘������}�9��ʮcnb�6��R�����X ٫�e~�X��g��K�����7,�ì�E��YU?

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


��5��Kkt��[@��jj�:Fg�	�Xj��(��8��y���Po�!�}����)�5��M[�	ش]w�ʼnQ�d!��G�y���F���Ri�K�d!8h���\7γSD�`a�[q��iY��+Gqn���?!�1��0��

0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30
vo0	+��0	*�H��

	1	*�H��


0	*�H��

	1
030827154523Z0#	*�H��

	1"D�a�2y�E�~�#�P�0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30
vo0��*�H��

	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30
vo0
	*�H��



�
Z2����?v�%�T�*3�Ew�{��Q��D��LT��5����Ghc��9�k��I���WY�'1�	Ɉr�����>._X��rMnP���vZ
Fɉ��
��0�
��:(�&��Sb��ζ%�Z'j��˯l`�1	F�e���/2�0��L�k
m[��Z��,LJZ�����=G,D��k�ϖ<p��ʬ��wC��r�F{P?�iЧo��7��9�����
���-R������q��

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F4CD213.40306>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact