Mike Sullenberger writes: > We use other tunnel mechanisms (GRE), because IPsec tunneling mode > is lacking in functionality. For example, when you use GRE for the > tunneling you also reduce the IPsec SA's that are needed to "describe" > the traffic for IPsec to encrypt. If you use IPsec tunnel mode only > then for each pairing of subnets behind each peer you need a separate > IPsec SA. For example if there are 5 subnets each behind two peers > then you need up to 25 SA pairs to describe exactly what needs to be > encrypted and nothing more. If you tunnel the data traffic first then > you only need 1 SA pair for all traffic, since IPsec encrypts the > tunnel itself and not the traffic within the tunnel.
Not true. You can have one IPsec SA which have all subnets in both ends. There is no need to use multiple IPsec SAs in your example case. Multiple SAs is only needed if IPsec version which was obsoleted in year 2005 is used. > What you call other fancy features is what I call functional separation. > IPsec does encryption well, but in reality it does a fairly poor job of > tunneling. So lets have IPsec do what it does well and have GRE do what > it does well and that is tunneling. So you still didn't explain what GRE does better than modern IPsec tunneling? -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
