Site Navigation

Date:      Mon, 08 Apr 2002 14:43:50 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Julian Elischer <julian@elischer.org>
Cc:        "Rogier R. Mulhuijzen" <drwilco@drwilco.net>, mgt@hytekblue.com, freebsd-net@FreeBSD.ORG
Subject:   Re: IPsec tunnel mode
Message-ID:  <3CB20F16.3000904@isi.edu>
References:  <Pine.BSF.4.21.0204081425380.52929-100000@InterJet.elischer.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Julian Elischer wrote:
> Assign the required address to the netgraph interface and then 
> use the IP-over-UDP example in the netgraph examples.

Good idea. IP-over-UDP has advantages when it comes to firewall- and 
NAT-traversal. IP-over-IP has the advantage that it looks like IPsec 
tunnel mode on the wire and to the receiver, so it can interoperate.

> On Mon, 8 Apr 2002, Lars Eggert wrote:
> 
> 
>>Rogier R. Mulhuijzen wrote:
>> >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt
>> >
>> > Unfortunately this howto, like any other mention of IPsec &
>> > tunneling on the net uses the gif interface. Which is IPoverIP, and
>> > this does not seem to match with  IPsec tunnel devices.
>>
>>There are no IPsec tunnel devices in KAME. IPsec defines "security
>>associations" (SAs), which are not represented as devices in the routing
>>table in KAME. Thus, you can't use routes to direct traffic into these
>>tunnel mode SAs, you need to set up your security policies with the
>>correct selectors (think firewall-like matching).
>>
>>*Many* tutorials on the net do not understand this disctinction, and
>>tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel
>>mode SA in parallel. This is a bad hack, since you (ab)use a side effect
>>of creating an IPIP tunnel device (it can be used for route entries) to
>>redirect traffic into your (separate) tunnel mode SA. Very roughly, you
>>set up the IPIP tunnel, then yank out the packets destined for it during 
>>outbound processing and force them over an IPsec tunnel mode SA.
>>
>>Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport
>>mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios 
>>where the dependencies between side effects are just right, but in 
>>general, it's a broken approach.
>>
>>Lars
>>-- 
>>Lars Eggert <larse@isi.edu>               Information Sciences Institute
>>http://www.isi.edu/larse/              University of Southern California
>>
> 



-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


���0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0�)0���

0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
000830000000Z
020829235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��



��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i

�N0L0)U"0 �010UPrivateLabel1-2970U

�0

�
0U
0
	*�H��


��so&e��4KYb��D�I��
���
j&*b���ctm��S�K���8��P�:l4��撜n�#
�	��K�r�g�Po.X���PW�����Ո�����9[9}4���%Mj���Ñ/���<R���bH1��0��

0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0	+��
a0	*�H��

	1	*�H��


0	*�H��

	1
020408214350Z0#	*�H��

	1��]ρ��>�S�4#�_d-�0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��*�H��

	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0
	*�H��



��K݆^oGO0s�Oܶ��+���"_�H�L=�t•��0��^��t�o)����q���$d����PMQa�T��E����n���@���q�ď�e�p�=��\e����K�:{d}}���p��V0��Jc�!/�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB20F16.3000904>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact