On 2010-01-13, Matt Dainty <[email protected]> wrote: > * Stuart Henderson <[email protected]> [2010-01-12 17:02:39]: >> Their examples are using route-based VPNs (http://kb.juniper.net/KB4124, >> RFC3884), I'm not sure whether this is entirely possible here with our >> ipsec (policy-based), but you could try setting up tunnels between the >> gif tunnel endpoints i.e. 1.2.3.4 and 72.21.209.225, and a second between >> 1.2.3.4 and 72.21.209.193. These would take place of the tunnels between >> 192.168.23/24 and 10/24 (traffic between these networks would be routed >> in the usual way, taking the gif interfaces as point-to-point links). > > RFC3884 uses transport mode to secure the already encapsulated traffic > whereas I have to use tunnel mode.
Take another look; IKE is done as for tunnel mode (i.e. it tells the peer to use tunnel mode), but then it's setup as for transport mode, with the gif header inserted. This is the same packet format as used by tunnel mode, it's interoperable with tunnel mode on the other side (see the end of section 4.2.3). > Any attempts to negotiate a transport mode SA are refused I think that to support it, isakmpd would need to be able to negotiate a tunnel mode SA with the peer, but would need to configure the local side as for transport mode.
