Michael,
I've have been running VPN tunnels between my Dachstein machines and
Cisco's for some time. It is no problem. Yes you should use tunnel mode.
Telling you otherwise only proves the person you are dealing with does not
understand what he/she is saying. Here is an explanation I pulled down for
you:
- - - - - - - - - - - - - - -
Also from my reading ("IPSec", ISBN 0-13-011898-2) transport mode is
host to host, whereas tunnel mode goes "through" the hosts (simple
but it's an important difference). That is in transport mode the data
payload is encrypted, AH/ESP is tacked on, etc and the packet is
simply sent to the other system. In tunnel mode the entire packet is
taken, encrypted, AH/ESP is tacked on, and that is loaded as the data
payload and bundled off to another system (think of someone being
clubbed on the head, shoved into a large sack, bundled into a van and
driven off). In some ways tunnel mode is "more secure" because the
attacker can't actually see the IP's/etc it's really for. If you want
a good book on IPSec I'd highly recocmend this one, it covers the
protocol and theory really well.
- -Kurt Seifried
- - - - - - - - - - - - - - - - -
Best Regards,
Roger McClurg
--------------------------------------------------------------------------------------------------------------------------------------
Date: Fri, 08 Nov 2002 01:16:01 -0600
From: "Michael D. Schleif" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Organization: mds resource
To: LEAF <[EMAIL PROTECTED]>
Subject: Re: [leaf-user] ipsec connect to this?
Correct me if I am wrong; but, isn't transport mode solely for
host-to-host vpn's?
Everything seems to be OK in auth.log and ipsec look appears OK, when I
use tunnel mode -- however, we cannot ping nor telnet nor ftp to the
other side. tcpdump shows outgoing requests; but, nothing comes back.
Unfortunately, the other side is not cooperative, because he insists
that we must use a cisco like he is, and he's determined to prove that
to us all ;<
When I select type=transport, auth.log process never completes and no
``IPSec SA is established ...'' appears.
What do you think?
"Michael D. Schleif" wrote:
>
> Received following set of requirements for one of our DCD's to connect
> to a remote non-DCD site:
>
> ISAKMP Policy:
> Encryption: 3DES
> Hash: MD5
> Authentication: pre shared keys
> Diffie Helman group 1 or 2
>
> Use the following key: ------------
> IPSec GW Address: 204.235.103.2
>
> Destination Network: 204.235.101.128 255.255.255.240
>
> IPSec Policy
> ESP Transform: 3DES
> ESP Authentication Transform: md5-hmac
>
> IPSec mode is transport. Please be sure to apply NAT *BEFORE*
IPSec.
> Private Addresses leaked onto the the network will be rejected.
>
> We have not setup ipsec to non-DCD before.
>
> Is this doable?
>
> Is above information adequate?
>
> Is there anything unusual to this setup?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I
-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
