The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
Article Feedback - There is room to improve
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 no IP tunnels required
Author: Lars Eggert 
Date:   09-04-02 22:18

Lars: Would you like to post your notes below as comments to the article?
At, click on "Post" just right the
right of the article title and just below the date.


On 9 Apr 2002 at 10:14, Lars Eggert wrote:

> Hi,
> please note that your IPsec how-to at
> or
> instructs people to set up
> IPIP tunnels in parallel to IPsec tunnel mode SAs.
> This is NOT required. In fact, with this approach you are setting up two
> tunnels between a node pair (one secure, one insecure). It "works"
> because the kernel will hijack packets forwarded over the insecure IP
> tunnel and push them over the secure IPsec SA. This depends on a
> specific interaction of side effects in the kernel and has all kinds of
> interesting failure modes.
> It also confuses people into thinking that IPIP tunnels (gif interfaces)
> and IPsec tunnel mode are related, or even dependent on one another,
> when in reality they are completely separate concepts.
> Please see the KAME newsletters ( for
> correct configuration of IPSec tunnel mode.
> Lars

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 

 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Remember my login:
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum