[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC tunnels for LAN-to-LAN interop issue
-----BEGIN PGP SIGNED MESSAGE-----
stephen> This works as before, except that the SPD is tied to the IPIP
stephen> tunnel device.
stephen> The IPSEC peer is defined in the IPIP tunnel configuration, and all
stephen> policies in the captive SPD relate to that peer.
stephen> As IP packets are delivered to the IP tunnel device, it is passed
stephen> through the captive SPD to determine what (if any) IPSEC protection
stephen> is required.
stephen> If none, the IP tunnel is added, and the packet sent.
stephen> If transport, the IP tunnel is added, transport-mode IKE negotiated
stephen> and applied, packet sent.
stephen> If tunnel mode, the IP tunnel is added, tunnel mode IKE negotiated,
stephen> 'transport mode' applied, packet sent.
we had essentially the same general idea of having "per-tunnel" SPDs, but have
not really thought much about details. Also, I think Suresh Bhogavilli, who
implemented the CAIRN IPsec stack, had plans to integrate his IPIP tunnels
with the SPD. I think your proposal looks very promising.
When I talked with the KAME people, they indicated they'd rather not change
their current filter-based implementation too much. I believe they considered
adding/deleting route entries for SPD tunnel rules. That might be another
possible way of addressing this?
Lars Eggert <email@example.com> Information Sciences Institute
http://www.isi.edu/~larse/ University of Southern California
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----