Date: Mon, 21 Aug 2000 14:47:50 -0400 From: "Cambria, Mike" <mcambria@lucent.com> To: "'questions@freebsd.org'" <questions@freebsd.org> Subject: When is an IPSec tunnel used when multiple paths exist? Message-ID: <443F9E4C6D67D4118C9800A0C9DD99D7107F78@rerun.lucentctc.com>
next in thread | raw e-mail | index | archive | help
I want to set up an IPSec encrypted tunnel (Ipv4) over the Internet for use as a "backup" connection when an existing private path fails for any reason. The tunnel will be between 2 FreeBSD-4.1-Stable machines (10.1.1.1 & 10.1.1.2). The sites "policy" is to always use the private path whenever it is up. On a test network, I played with setkey to the point that I believe I have a valid configuration for an encrypted tunnel. Looking at the setkey configuration, I'm trying to understand when encryption will take place for packets being forwarded from this machine (where this machine has IP addresses 192.168.1.1, 17.16.1.1 and 10.1.1.1). Given an SPD entry like: spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.1.1.1-10.1.1.2/require ah/tunnel/10.1.1.1-10.1.1.2/require ; Will encryption take place in all cases for packets from 192.168.1.x to 192.168.2.x, even if the next hop is not the tunnel (e.g. Interface 17.16.1.1 is the next hop from the routing table) ? In the situation described above, encryption would take place even though the path uses the private network. Or, will encryption take place for packets from 192.168.1.x to 192.168.2.x _only_ when packets have a next hop of the other end of the tunnel connection (next hop is 10.1.1.2) ? This is the solution I'm looking for. Any enlightenment appreciated. Thanks, MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443F9E4C6D67D4118C9800A0C9DD99D7107F78>