http://www.freebsd.org/doc/handbook/ipsec.html
Dmitry Andrianov
dimas at dataart.com
Wed Apr 19 15:55:57 UTC 2006
Hello,
After setting up an ipsec tunnel according to
http://www.freebsd.org/doc/handbook/ipsec.html I have a question:
Why you suggest using IPSEC tunnel mode when packets are already wrapped
in IP-to-IP protocol (ipencap) and in fact already "tunneled". This only
adds another unneeded header to the packet - picture in the article
clearly shows this - src/dest IP for both outer headers are the same.
Another issue with tunnel mode is that is impossible to watch traffic on
gifX interfaces with tcpdump (
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=236856+0+archive/2001/freeb
sd-net/20010506.freebsd-net )
Both of these problems are solved by using "transport" instead of
"tunnel" keyword. Since traffic already encapsulated into ipencap, we
clearly have point-to-point traffic and transport mode works just fine.
(Tested)
Regards,
Dmitry Andrianov
More information about the freebsd-doc
mailing list