On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote: > On 2/11/22 12:35 PM, William Herrin wrote: > > The thing to understand is that IPSec has two modes: transport and > > tunnel. Transport is between exactly two IP addresses while tunnel > > expects a broader network to exist on at least one end. > > That is (syntactically) correct. However, it is possible to NAT many > LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO > ISP) > and use IPSec /Transport/ Mode to a single remote IP. The IPSec sees > exactly two IPs. > > > "Tunnel" mode is what everyone actually uses > > I may be enough of an outlier that I'm a statistical anomaly. But > I'm using IPSec /Transport/ Mode between my home router and my VPSs. > I have a tiny full mesh of IPSec /Transport/ Mode connections. >
+1 on *cough* enterprise networks. > Using the aforementioned many-to-one NAT, my home LAN systems access > the single globally routed IP of each of my VPSs without any problem. > +1 > Aside: I did have to tweak MTU for LAN traffic going out to the VPS > IPs. +1 > > So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for > /Transport/ Mode +1
