From owner-freebsd-questions  Mon Aug 21 11:47:59 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2])
	by hub.freebsd.org (Postfix) with ESMTP id 6529837B423
	for <questions@freebsd.org>; Mon, 21 Aug 2000 11:47:57 -0700 (PDT)
Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21)
	id <RBP44C2C>; Mon, 21 Aug 2000 14:47:51 -0400
Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D7107F78@rerun.lucentctc.com>
From: "Cambria, Mike" <mcambria@lucent.com>
To: "'questions@freebsd.org'" <questions@freebsd.org>
Subject: When is an IPSec tunnel used when multiple paths exist?
Date: Mon, 21 Aug 2000 14:47:50 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I want to set up an IPSec encrypted tunnel (Ipv4) over the Internet for use
as a "backup" connection when an existing private path fails for any reason.
The tunnel will be between 2 FreeBSD-4.1-Stable machines (10.1.1.1 &
10.1.1.2).  The sites "policy" is to always use the private path whenever it
is up.  On a test network, I played with setkey to the point that I believe
I have a valid configuration for an encrypted tunnel.

Looking at the setkey configuration, I'm trying to understand when
encryption will take place for packets being forwarded from this machine
(where this machine has IP addresses 192.168.1.1, 17.16.1.1 and 10.1.1.1).

Given an SPD entry like:

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/10.1.1.1-10.1.1.2/require ah/tunnel/10.1.1.1-10.1.1.2/require ;



Will encryption take place in all cases for packets from 192.168.1.x to
192.168.2.x, even if the next hop is not the tunnel (e.g. Interface
17.16.1.1 is the next hop from the routing table) ?  In the situation
described above, encryption would take place even though the path uses the
private network.

Or, will encryption take place for packets from 192.168.1.x to 192.168.2.x
_only_ when packets have a next hop of the other end of the tunnel
connection (next hop is 10.1.1.2) ?  This is the solution I'm looking for.

Any enlightenment appreciated.

Thanks,
MikeC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message