From owner-freebsd-doc@FreeBSD.ORG  Wed Apr 19 15:55:53 2006
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
X-Original-To: doc@FreeBSD.org
Delivered-To: freebsd-doc@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B425716A43A
	for <doc@FreeBSD.org>; Wed, 19 Apr 2006 15:55:53 +0000 (UTC)
	(envelope-from dimas@dataart.com)
Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0CBFA43D68
	for <doc@FreeBSD.org>; Wed, 19 Apr 2006 15:55:48 +0000 (GMT)
	(envelope-from dimas@dataart.com)
Received: from e1.universe.dart.spb ([192.168.10.44])
	by relay1.dataart.com with esmtp (Exim 4.22) id 1FWF1v-00071p-EE
	for doc@FreeBSD.org; Wed, 19 Apr 2006 19:55:47 +0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 19 Apr 2006 19:54:35 +0400
Message-ID: <D5972F49810A69449A9EA72A4B360DC2D09FF4@e1.universe.dart.spb>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: http://www.freebsd.org/doc/handbook/ipsec.html
thread-index: AcZjybkWFNx4k+GnS4OUm5nSjEPjNQ==
From: "Dmitry Andrianov" <dimas@dataart.com>
To: <doc@FreeBSD.org>
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: http://www.freebsd.org/doc/handbook/ipsec.html
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2006 15:55:57 -0000

Hello,

After setting up an ipsec tunnel according to
http://www.freebsd.org/doc/handbook/ipsec.html I have a question:

=20

Why you suggest using IPSEC tunnel mode when packets are already wrapped
in IP-to-IP protocol (ipencap) and in fact already "tunneled". This only
adds another unneeded header to the packet - picture in the article
clearly shows this - src/dest IP for both outer headers are the same.
Another issue with tunnel mode is that is impossible to watch traffic on
gifX interfaces with tcpdump (
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D236856+0+archive/2001/free=
b
sd-net/20010506.freebsd-net )

=20

Both of these problems are solved by using "transport" instead of
"tunnel" keyword. Since traffic already encapsulated into ipencap, we
clearly have point-to-point traffic and transport mode works just fine.

=20

(Tested)

=20

Regards,

Dmitry Andrianov

=20