[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC tunnels for LAN-to-LAN interop issue
Lars,
> >> 1) IP tunnel device tunnels packets, IPSEC then applies transport-mode
> >> protection to the IP-in-IP packets as they leave.
>
> stephen> Why transport mode here, vs. tunnel mode. The device looks more
> stephen> like an SG than an end system, does it not?
>
>He wants to run RIP over the tunnels. IPsec tunnel mode (at least all
>implementations I have seen) is handled by packet filters/firewalls, which
>means the tunnel is not represented in the routing table and RIP won't see
>them. Using an IPIP tunnel device (which will show up in the routing table)
>plus IPsec transport mode is a way to circumvent this.
I see the basis for the concern, but the examples you cite are a result of
some implementation instances, not intrinsic in the IPsec architecture. The
question of how routing is implemented in a IPsec gateway is outside the
scope of 2401, but the question of what mode to use in such a gateway, and
what constitites a gateway vs. an end system, are addressed in 2401.
Steve
References: