On 2007/04/08 14:43, Stephen J. Bevan wrote: > > > On page 46 he talks about using GRE to create a virtual routing > > interfaces AKA tunnel interface. I have configure route-based VPNs > > between a Netscreen and FortiGate which interop just fine, which > > leads me to believe that they are using the same approach to tunnel > > interfaces. > > They are using the same approach, it just isn't GRE based. Both > FortGate and Netscreen allow you to define a IPsec interface which has > the routing benefits described in > http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf > but which is also compatible with anything that supports tunnel mode > IPsec.
interesting; if my understanding of this and the RFC that the referenced 'touch' draft was published as (rfc3884), at one end you can configure one side in *transport* mode carrying ipip encapsulated packets - gif(4) with net.inet.ipip.allow=1, afaict - and the other side in tunnel mode as usual. this could be useful for either running routing protocols over IPsec, or for redistributing IPsec "routes" into an IGP (the latter being something I've been wondering about how to handle in some way that's a little more flexible than "configure all of concentrator X's tunnels within 10.X/16 and all of concentrator Y's tunnels within 10.Y/16...)
