[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC tunnels for LAN-to-LAN interop issue

>>>>> "Waters," == Waters, Stephen <Stephen.Waters@cabletron.com> writes:

 Waters,> 2) is a hack because I no longer have an interface. IPSEC
 Waters,> intercepts packet leaving the system, and, due to the fact
 Waters,> that the contents is completely scrambled has to add a new
 Waters,> header.

 Waters,> -----Original Message----- From: Richard Draves

 >> 1) IP tunnel device tunnels packets, IPSEC then applies
 >> transport-mode protection to the IP-in-IP packets as they leave.
 >> 2) IPSEC tunnel is modeled as an interface, and just negotiates
 >> tunnel mode and exposes the resulting tunnel as an interface. This
 >> is akin to marrying an SDP policy with an Interface.
 >> 3) IP tunnel device tunnels packets, IPSEC then applies tunnel
 >> mode protection.

I'm not sure why you call (2) a hack.  It is a perfectly reasonable
way of doing things.  Why did you say "I no longer have an interface"?
(2) is, approximately, what we do in our product.  One consequence is
that routing protocols (RIP, OSPF, etc.) work normally across tunnels.