On Tue, Nov 07, 2006 at 08:33:26AM +0100, Gert Doering wrote:
> On Mon, Nov 06, 2006 at 08:42:54PM -0500, Thor Lancelot Simon wrote:
>
> > I doubt it matters much for gre, but if this configuration stops working
> > with gif, it will become _impossible_ to talk to IPsec peers which do not
> > implement transport mode.
> 
> Is this for IPsec tunnel mode, implemented somehow via gif(4)?

IPsec tunnel mode uses the encapsulation code from gif(4).  This makes
sense, since the resulting packets on the wire are identical no matter
whether one uses a transport-mode IPsec SA and a gif interface to
accomplish the inner encapsulation, or a tunnel-mode SA.  In fact, it
might be considerably cleaner to explicitly configure cloning gif
interfaces for each tunnel-mode SA, because this avoids the ugly hack
used to route packets through the gif machinery by IPsec, and also
provides explicit filter points for the traffic before and after the
IPsec encapsulation or decapsulation.

Some IPsec peers don't implement transport mode and will negotiate
only tunnel mode with their own address as both inner and outer.  If it
became impossible to get the gif code to handle such packets even when
called as it is from IPsec (where the policy code directs the packets
into the tunnel, bypassing normal routing lookups) we'd end up unable
to talk to such peers.

Thor