Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Apr 2002 14:20:12 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        "Rogier R. Mulhuijzen" <drwilco@drwilco.net>
Cc:        mgt@hytekblue.com, freebsd-net@FreeBSD.ORG
Subject:   Re: IPsec tunnel mode
Message-ID:  <3CB2098C.5080904@isi.edu>
References:  <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Rogier R. Mulhuijzen wrote:
 >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt
 >
 > Unfortunately this howto, like any other mention of IPsec &
 > tunneling on the net uses the gif interface. Which is IPoverIP, and
 > this does not seem to match with  IPsec tunnel devices.

There are no IPsec tunnel devices in KAME. IPsec defines "security
associations" (SAs), which are not represented as devices in the routing
table in KAME. Thus, you can't use routes to direct traffic into these
tunnel mode SAs, you need to set up your security policies with the
correct selectors (think firewall-like matching).

*Many* tutorials on the net do not understand this disctinction, and
tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel
mode SA in parallel. This is a bad hack, since you (ab)use a side effect
of creating an IPIP tunnel device (it can be used for route entries) to
redirect traffic into your (separate) tunnel mode SA. Very roughly, you
set up the IPIP tunnel, then yank out the packets destined for it during 
outbound processing and force them over an IPsec tunnel mode SA.

Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport
mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios 
where the dependencies between side effects are just right, but in 
general, it's a broken approach.

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

[-- Attachment #2 --]
0	*H
010	+0	*H
00G0
	*H
010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*H
	
larse@isi.edu00
	*H
0|\Pw v~~FDooӦA\-	 Cˀ4.)&{肋,z(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲNV0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0
larse@isi.edu0U00
	*H
aJPMՒ]cѭC+kS+wZ1gY",YT41
j6:~℩D~Kؚ‡l=u(ՎM?cF7@}T00G0
	*H
010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*H
	
larse@isi.edu00
	*H
0|\Pw v~~FDooӦA\-	 Cˀ4.)&{肋,z(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲNV0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0
larse@isi.edu0U00
	*H
aJPMՒ]cѭC+kS+wZ1gY",YT41
j6:~℩D~Kؚ‡l=u(ՎM?cF7@}T0)00
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
000830000000Z
020829235959Z010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.3000
	*H
032c	%E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ|CBPQ<9TIf-	kiN0L0)U"0 010UPrivateLabel1-2970U00U0
	*H
so&e4KYbDI

j&*bctmSK8P:l4撜n#	KrgPo.XPWՈ9[9}4%MjÑ/<RbH100010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30G0	+a0	*H
	1	*H
0	*H
	1
020408212012Z0#	*H
	1֒3y kA_{u(0R	*H
	1E0C0
*H
0*H
0
*H
@0+0
*H
(0*H
	1010	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30G0
	*H
LRŽՙ.h;)1Wim$JʵEG[0awB$# 
wN	]$
LV-9QSSIBCMN6*e
X
n=]ߣ

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB2098C.5080904>