The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Article Feedback - IPsec
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 no IP tunnels required
Author: Lars Eggert 
Date:   09-04-02 22:18

Lars: Would you like to post your notes below as comments to the article?
At http://www.freebsddiary.org/ipsec.php, click on "Post" just right the
right of the article title and just below the date.

cheers

On 9 Apr 2002 at 10:14, Lars Eggert wrote:


> Hi,
>
> please note that your IPsec how-to at
> http://www.freebsddiary.org/ipsec.php or
> http://rr.sans.org/firewall/IPSec_VPN.php instructs people to set up
> IPIP tunnels in parallel to IPsec tunnel mode SAs.
>
> This is NOT required. In fact, with this approach you are setting up two
> tunnels between a node pair (one secure, one insecure). It "works"
> because the kernel will hijack packets forwarded over the insecure IP
> tunnel and push them over the secure IPsec SA. This depends on a
> specific interaction of side effects in the kernel and has all kinds of
> interesting failure modes.
>
> It also confuses people into thinking that IPIP tunnels (gif interfaces)
> and IPsec tunnel mode are related, or even dependent on one another,
> when in reality they are completely separate concepts.
>
> Please see the KAME newsletters (http://www.kame.net/newsletter/) for
> correct configuration of IPSec tunnel mode.
>
> Lars
>

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 no IP tunnels required   new
Lars Eggert 09-04-02 22:18 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org