options FAST_IPSEC & tunnels
Lars Eggert
larse at ISI.EDU
Wed Apr 2 08:21:10 PST 2003
Eric,
On 4/2/2003 7:58 AM, Eric Masson wrote:
>>>>>>"Lars" == Lars Eggert <larse at ISI.EDU> writes:
>
> Lars> Alternatively (and already working), you can replace IPsec tunnel
> Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
> Lars> gif device in your firewall rules.
>
> If transport mode can be used to connect to a pix, it's a solution to
> consider, but atm, I've found no reference to such a setup on the pix.
what's a pix? But chances are, you will need to control both endpoints
for my suggestion to work.
> I've tried gif tunnels with ipsec tunnel mode and didn't get
> reproduceable results, this setup worked once with the following gif
> setup :
[snip]
> Next time, after a reboot (kernel switch) no packets were flowing thru
> the gif tunnel.
Yes, combining tunnel mode and IPIP tunnels is not a good idea.
Basically, that approach creates two parallel virtual topologies, one
out of IPIP tunnels, and one out of IPsec tunnel mode SAs. People often
do this, because they want to route traffic into an IPsec tunnel, and
the SA itself doesn't have a route entry, since they aren't devices.
When using IPIP tunnels with tunnel mode, they abuse the route created
by the gif device for routing, but packets will be hijacked by the
tunnel mode SA, so they never actually enter gif processing (IPsec does
the IPIP encapsulation internally.)
Using IPIP tunnels with transport mode is valid, since packets will
actually flow through the gif device, and get IPsec'ed after they are
IPIP encapsulated. (In multihop topologies, they'll then need to be IPIP
encapsulated again - the virtual network needs both virtual link and
network layers.)
Lars
--
Lars Eggert <larse at isi.edu> USC Information Sciences Institute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3529 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20030402/10c1af53/smime.bin
More information about the freebsd-net
mailing list