[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC tunnels for LAN-to-LAN interop issue
Stephen,
>I think I disagree with the statement that "Anything else will violate RFC
>2401". A security gateway is perfectly entitled to protected 'originating
>traffic' with transport-mode, and if the traffic source is a tunnel device
>(IPIP, L2TP, GRE...), then IPSEC can quite fairly protect this with
>transport mode to a remote peer/security gateway:
>
>" Note that for the case where traffic is destined for a
> security gateway, e.g., SNMP commands, the security gateway is acting
> as a host and transport mode is allowed."
>
>It is convenient, I think, to model generic traffic between two security
>gateways as transport-mode, regardless of the protocol.
One can do this if the goal is to eviscerate the access controls provided
by IPsec, and there is a desire to add unnecessary protocol layers (e.g.,
L2TP and GRE) when carrying IP traffic :-).
Steve
Follow-Ups:
References: