RE: IPSEC tunnels for LAN-to-LAN interop issue

[Richard Draves <richdr@microsoft.com>]

> 1) IP tunnel device tunnels packets, IPSEC then applies transport-mode
> protection to the IP-in-IP packets as they leave.
>  
> 2) IPSEC tunnel is modeled as an interface, and just 
> negotiates tunnel mode
> and exposes the resulting tunnel as an interface. This is 
> akin to marrying
> an SDP policy with an Interface.
>  
> 3) IP tunnel device tunnels packets, IPSEC then applies tunnel mode
> protection.

What matters is how this looks to the other end of the tunnel. Your
implementation can achieve that result however it wants.

To the other end of the tunnel, shouldn't it look like / be negotiated as
tunnel-mode IPSEC? Thus if I understand your options correctly,
option 1 is ruled out because the packets look right on the wire but it's
negotiating transport-mode instead of tunnel-mode.
option 2 is OK - the packets look like IP-IPsec-IP-Transport, and it's
negotiated as tunnel-mode.
option 3 is ruled out because there is an extra IP header.

Rich

---

Follow-Ups:

• RE: IPSEC tunnels for LAN-to-LAN interop issue
• From: Lars Eggert <larse@ISI.EDU>

---

• Prev by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Next by Date: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
• Next by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Index(es):
  • Main
  • Thread