FreeBSD Mail Archives

Date:      Wed, 02 Apr 2003 08:20:49 -0800
From:      Lars Eggert <larse@ISI.EDU>
To:        Eric Masson <e-masson@kisoft-services.com>
Cc:        Mailing List FreeBSD Network <freebsd-net@freebsd.org>
Subject:   Re: options FAST_IPSEC & tunnels
Message-ID:  <3E8B0DE1.1030500@isi.edu>
In-Reply-To: <86fzp0riwl.fsf@notbsdems.interne.kisoft-services.com>
References:  <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com> <05b901c2f881$67e907f0$52557f42@errno.com> <3E8A1122.5040304@isi.edu> <86fzp0riwl.fsf@notbsdems.interne.kisoft-services.com>


[-- Attachment #1 --]
Eric,

On 4/2/2003 7:58 AM, Eric Masson wrote:
>>>>>>"Lars" == Lars Eggert <larse@ISI.EDU> writes:
> 
>  Lars> Alternatively (and already working), you can replace IPsec tunnel
>  Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
>  Lars> gif device in your firewall rules.
> 
> If transport mode can be used to connect to a pix, it's a solution to
> consider, but atm, I've found no reference to such a setup on the pix.

what's a pix? But chances are, you will need to control both endpoints 
for my suggestion to work.

> I've tried gif tunnels with ipsec tunnel mode and didn't get
> reproduceable results, this setup worked once with the following gif
> setup :
[snip]
> Next time, after a reboot (kernel switch) no packets were flowing thru
> the gif tunnel.

Yes, combining tunnel mode and IPIP tunnels is not a good idea. 
Basically, that approach creates two parallel virtual topologies, one 
out of IPIP tunnels, and one out of IPsec tunnel mode SAs. People often 
do this, because they want to route traffic into an IPsec tunnel, and 
the SA itself doesn't have a route entry, since they aren't devices. 
When using IPIP tunnels with tunnel mode, they abuse the route created 
by the gif device for routing, but packets will be hijacked by the 
tunnel mode SA, so they never actually enter gif processing (IPsec does 
the IPIP encapsulation internally.)

Using IPIP tunnels with transport mode is valid, since packets will 
actually flow through the gif device, and get IPsec'ed after they are 
IPIP encapsulated. (In multihop topologies, they'll then need to be IPIP 
encapsulated again - the virtual network needs both virtual link and 
network layers.)

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	�0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�0�90���%A0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
020824185339Z
030824185339Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0�"0
	*�H��
�0�
��6F�x����ΰ7��a��ED��&0��+Dj�)ֽ�X��CUc��n�lei��jm�z~S�����0�J�j�W�V�~	1^����({�I�ݛL�j��Ӗ
a�����o:bP�}W���L��V�ܱ��욗cD��ɖ_��K�v.�����A(���W4���9�;�Z�8�-��uXE
6�b
@_0%�#d�`�����R�to5 L0���R`w��@7
�r	�H�����c�c�����	�U�3�%7N_o�V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
��]�Ȕ��,�����fK<�������cj���R�Z�eL�an�@���Z6,��=
�fK�?y�O#��8��+�	����Ni�*LS��f���pQ��g<�(aӒ��$�k���Tx�_AL��1>ގ|S�1��0��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0	+��0	*�H��
	1	*�H��
0	*�H��
	1
030402162049Z0#	*�H��
	1R
9m,���zK��2���6<�$0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30%A0
	*�H��
�sND#�� �&_���#!�J��1�>}�T�`tk�('es@�?U���0���^p�`�c������r��0"�e5�.�or~+zE���aw�tK��J+ 13�sX����oi���y�/�&��Ml���]������1UN�O��#eꔳԕk�����x.���9���Gq"Y�@s�c����$�� �2Օ��ȝ��{U�B_�eF�s�������qa����#���<�x�ZN�-�u��[�s����5'q�V

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E8B0DE1.1030500>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation