On 4/2/2003 7:58 AM, Eric Masson wrote:
"Lars" == Lars Eggert <[EMAIL PROTECTED]> writes:
Lars> Alternatively (and already working), you can replace IPsec tunnel Lars> mode with IPIP (gif) tunnels and transport mode, and then use the Lars> gif device in your firewall rules.
If transport mode can be used to connect to a pix, it's a solution to consider, but atm, I've found no reference to such a setup on the pix.
what's a pix? But chances are, you will need to control both endpoints for my suggestion to work.
[snip]I've tried gif tunnels with ipsec tunnel mode and didn't get reproduceable results, this setup worked once with the following gif setup :
Next time, after a reboot (kernel switch) no packets were flowing thru the gif tunnel.
Yes, combining tunnel mode and IPIP tunnels is not a good idea. Basically, that approach creates two parallel virtual topologies, one out of IPIP tunnels, and one out of IPsec tunnel mode SAs. People often do this, because they want to route traffic into an IPsec tunnel, and the SA itself doesn't have a route entry, since they aren't devices. When using IPIP tunnels with tunnel mode, they abuse the route created by the gif device for routing, but packets will be hijacked by the tunnel mode SA, so they never actually enter gif processing (IPsec does the IPIP encapsulation internally.)
Using IPIP tunnels with transport mode is valid, since packets will actually flow through the gif device, and get IPsec'ed after they are IPIP encapsulated. (In multihop topologies, they'll then need to be IPIP encapsulated again - the virtual network needs both virtual link and network layers.)
Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute
smime.p7s
Description: S/MIME Cryptographic Signature