Date: Fri, 22 Nov 2002 09:53:18 -0500 From: "Cambria, Mike" <mcambria@avaya.com> To: 'Helge Oldach' <freebsd-stable-21nov02@oldach.net>, archie@dellroad.org, "'larse@isi.edu'" <larse@isi.edu> Cc: guido@gvr.org, dkelly@hiwaay.net, hausen@punkt.de, archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF56@rerun.avayactc.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Helge Oldach [mailto:freebsd-stable-21nov02@oldach.net] [deleted] > Seems to me that we need some trickery routing using shadow routes to > make this work, similar to using gif interfaces with ESP tunnel mode. > This would add another point of confusion and violate POLA. > Seems to me > that an esp0 interface is really only useful for ESP tunnel > mode. In that > case it should be a point-to-point interface similar to gif. > > Perhaps worth mentioning: ESP transport mode over a gif tunnel is > *not* the same as ESP tunnel mode. Having a FreeBSD box with transport > mode/gif work against a non-FreeBSD machine in ESP tunnel > mode will not > work. If you are referring to IPIP tunnels (e.g. gif) then applying IPsec transport mode to the outer IP, then see http://www.isi.edu/larse/papers/draft-touch-ipsec-vpn-04.txt or the IETF ID site on how this works. Most of their work has been on FreeBSD, using IPIP tunnels (i.e. gif) , then applying IPsec transport mode. The draft explains how this can interoperate with IPsec tunnel mode at the other end (the point of the draft) and is in fact, indistinguishable. Now, if you are referring to using gif+and IPsec _tunnel_ mode .... why would one want to even do this? MikeC MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF56>