Rogier R. Mulhuijzen wrote: >> http://www.x-itec.de/projects/tuts/ipsec-howto.txt > > Unfortunately this howto, like any other mention of IPsec & > tunneling on the net uses the gif interface. Which is IPoverIP, and > this does not seem to match with IPsec tunnel devices.
There are no IPsec tunnel devices in KAME. IPsec defines "security associations" (SAs), which are not represented as devices in the routing table in KAME. Thus, you can't use routes to direct traffic into these tunnel mode SAs, you need to set up your security policies with the correct selectors (think firewall-like matching). *Many* tutorials on the net do not understand this disctinction, and tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel mode SA in parallel. This is a bad hack, since you (ab)use a side effect of creating an IPIP tunnel device (it can be used for route entries) to redirect traffic into your (separate) tunnel mode SA. Very roughly, you set up the IPIP tunnel, then yank out the packets destined for it during outbound processing and force them over an IPsec tunnel mode SA. Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios where the dependencies between side effects are just right, but in general, it's a broken approach. Lars -- Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
smime.p7s
Description: S/MIME Cryptographic Signature
