current-users: ipsec configuration

Subject: ipsec configuration
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: None <itojun@iijlab.net>
List: current-users
Date: 02/22/2000 14:03:49
>> 	there should be no difference between "isakmp on wireless"
>> 	and "isakmp on ethernet"...
>The difference I see is that the ipsec / setkey examples all talk
>about a system like this:
>       HostA --- GatwayA ---- GatewayB --- HostB
>The host-ip is not equal to the gatway-ip.  In the wireless case the
>system is as such:
>       HostA -- HostB

	The former one is IPsec tunnel mode, the latter is IPsec
	transport mode.  They do not have particular relationship with
	"wireless" or "ether".  The former is basically for VPN, the latter is
	for host-to-host encryption.  You can use transport mode on top of
	ethernet, ppp, fddi, anything.  It is also true that you can run
	tunnel mode on top of wireless network (if you would like to run
	VPN over wireless).

	There are transport mode case examples are in racoon configuration
	examples, and setkey(8) examples as well...  I agree they are not
	clear enough.  This is because (1) there are way too many knobs in
	IPsec to play with (2) KAME guys are not native English speaker.
	Suggestions are always very welcome.  Please help us improve those.

>The ip's in the first line of the spdadd and in the following lines
>are the same.  Its not even clear to me why the code shouldn't apply
>the rule recursively until the maximum rule nesting is achieved.  Am I
>misunderstanding the matching rules?
>
>spdadd 192.168.197.1/32 192.168.197.8/32 any -P out ipsec
>	esp/transport/192.168.197.1-192.168.197.8/use
>	ah/transport/192.168.197.1-192.168.197.8/use;
>
>Lets say this rule is applied to a packet.  The output packet still
>has the source address 192.168.197.1 and it still has the destination
>address 192.168.197.8.  Wouldn't the rule have to be applied again to
>the already 1x ah+esp packet?

	It won't apply rules recursively.  The rule will be applied only once.
	ip{,6}_output is designed carefully for that.

	However, if you would like to, you can apply ESP/AH as many times
	as you want, like:
>spdadd 192.168.197.1/32 192.168.197.8/32 any -P out ipsec
>	esp/transport//use esp/transport//use esp/transport//use
>	esp/transport//use esp/transport//use esp/transport//use;
	this will generate rather meaning packet with tons of ESP headers.

	(BTW you can omit gateway address when you use transport mode)

itojun