Re: IPSEC tunnels for LAN-to-LAN interop issue

[Mohan Parthasarathy <Mohan.Parthasarathy@Eng.Sun.Com>]

> I'm not sure BGP fixes the problem, for me.  I want to be able to learn
> Intranet routes from a remote peer, and populate a routing table with
> next-hop information, where each next hop is associated with a particular
> 'interface';  I want to detect when that 'interface' has failed so I can
> re-route.
>
I read both your old model and the new model. How about the mix of
two ?

Virtual IP interface
	|
IPIP tunnel 'device' - with default policy.
	|
Real interface	- associated SPD.

Packets leaving the tunnel device will be subjected to the default
policy only if there is no match in the SPD associated with the
Real interface. What most people may want is some defualt
policy e.g 3DES/SHA1 for the packets leaving the tunnel. But if
you want per-port selectors etc., why can't there be policy entries
in the SPD associated with the Real interface handle this. 

If transport, transport mode negotiated and applied and pakcet sent.

If tunnel mode, tunnel mode negotiated, 'transport' mode applied
pakcet sent.

There is only one tunnel device with which the routing entries
are associated with in this case.

Detecting whether the path to the peer has failed can be done
by running a failure detection algorithm over the tunnels.

-mohan

an

---

References:

• RE: IPSEC tunnels for LAN-to-LAN interop issue
• From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

---

• Prev by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Next by Date: I-D ACTION:draft-ietf-ipsec-auth-hmac-ripemd-160-96-04.txt
• Prev by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Next by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
• Index(es):
  • Main
  • Thread