On Tue, 25 Feb 2020, Michael Richardson wrote:
Yoav Nir <ynir.i...@gmail.com> wrote:
> The profile specifies that the ACP nodes should use tunnel mode (when
> GRE is not used), because: IPsec tunnel mode is required because the
> ACP will route/forward packets received from any other ACP node across
> the ACP secure channels, and not only its own generated ACP packets.
It's a VTI-type interface.
The TS should be for hostA<->hostB with protocol GRE.
Only if you want to create a routing based VPN. If you do a GRE tunnel,
then you should really stick to transport mode plus GRE traffic
selectors (assuming no NAT - if NAT is involved, transport mode should
be avoided). If you do a non-GRE tunnel, then tunnel mode makes sense if
you still expect trffic from other ACP nodes that need to go through the
tunnel.
It could be in tunnel or transport mode.
If using GRE, there is likely no need for tunnel mode.
> If I understand the above paragraph correctly, both the source of the
> packet and the destination can be the IP address of any ACP node,
> neither of which are required to be the tunnel endpoints. This implies
> some sort of generic traffic selector. The draft should specify this,
> IMO
The GRE layer and the routing protocol would take care of the ::/0<->::/0
needs, not IPsec.
Building 0/0 to 0/0 IPsec tunnels based on routing is the least secure
option you can use. So I agree here that in the GRE case, one should not
build 0/0 to 0/0 IPsec policy tunnels.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
