Julian Elischer wrote: > Assign the required address to the netgraph interface and then > use the IP-over-UDP example in the netgraph examples.
Good idea. IP-over-UDP has advantages when it comes to firewall- and NAT-traversal. IP-over-IP has the advantage that it looks like IPsec tunnel mode on the wire and to the receiver, so it can interoperate. > On Mon, 8 Apr 2002, Lars Eggert wrote: > > >>Rogier R. Mulhuijzen wrote: >> >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt >> > >> > Unfortunately this howto, like any other mention of IPsec & >> > tunneling on the net uses the gif interface. Which is IPoverIP, and >> > this does not seem to match with IPsec tunnel devices. >> >>There are no IPsec tunnel devices in KAME. IPsec defines "security >>associations" (SAs), which are not represented as devices in the routing >>table in KAME. Thus, you can't use routes to direct traffic into these >>tunnel mode SAs, you need to set up your security policies with the >>correct selectors (think firewall-like matching). >> >>*Many* tutorials on the net do not understand this disctinction, and >>tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel >>mode SA in parallel. This is a bad hack, since you (ab)use a side effect >>of creating an IPIP tunnel device (it can be used for route entries) to >>redirect traffic into your (separate) tunnel mode SA. Very roughly, you >>set up the IPIP tunnel, then yank out the packets destined for it during >>outbound processing and force them over an IPsec tunnel mode SA. >> >>Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport >>mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios >>where the dependencies between side effects are just right, but in >>general, it's a broken approach. >> >>Lars >>-- >>Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute >>http://www.isi.edu/larse/ University of Southern California >> > -- Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
smime.p7s
Description: S/MIME Cryptographic Signature
