Date: Wed, 19 Apr 2006 19:54:35 +0400 From: "Dmitry Andrianov" <dimas@dataart.com> To: <doc@FreeBSD.org> Subject: http://www.freebsd.org/doc/handbook/ipsec.html Message-ID: <D5972F49810A69449A9EA72A4B360DC2D09FF4@e1.universe.dart.spb>
index | next in thread | raw e-mail
Hello, After setting up an ipsec tunnel according to http://www.freebsd.org/doc/handbook/ipsec.html I have a question: Why you suggest using IPSEC tunnel mode when packets are already wrapped in IP-to-IP protocol (ipencap) and in fact already "tunneled". This only adds another unneeded header to the packet - picture in the article clearly shows this - src/dest IP for both outer headers are the same. Another issue with tunnel mode is that is impossible to watch traffic on gifX interfaces with tcpdump ( http://docs.freebsd.org/cgi/getmsg.cgi?fetch=236856+0+archive/2001/freeb sd-net/20010506.freebsd-net ) Both of these problems are solved by using "transport" instead of "tunnel" keyword. Since traffic already encapsulated into ipencap, we clearly have point-to-point traffic and transport mode works just fine. (Tested) Regards, Dmitry Andrianovhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2D09FF4>