Author: Lars Eggert
Date: 09-04-02 22:18
Lars: Would you like to post your notes below as comments to the article?
At http://www.freebsddiary.org/ipsec.php, click on "Post" just right the
right of the article title and just below the date.
On 9 Apr 2002 at 10:14, Lars Eggert wrote:
> please note that your IPsec how-to at
> http://www.freebsddiary.org/ipsec.php or
> http://rr.sans.org/firewall/IPSec_VPN.php instructs people to set up
> IPIP tunnels in parallel to IPsec tunnel mode SAs.
> This is NOT required. In fact, with this approach you are setting up two
> tunnels between a node pair (one secure, one insecure). It "works"
> because the kernel will hijack packets forwarded over the insecure IP
> tunnel and push them over the secure IPsec SA. This depends on a
> specific interaction of side effects in the kernel and has all kinds of
> interesting failure modes.
> It also confuses people into thinking that IPIP tunnels (gif interfaces)
> and IPsec tunnel mode are related, or even dependent on one another,
> when in reality they are completely separate concepts.
> Please see the KAME newsletters (http://www.kame.net/newsletter/) for
> correct configuration of IPSec tunnel mode.