Subject: Re: gre encap destination = point-to-point destination
To: Bill Stouder-Studenmund <>
From: Daniel Carosone <>
List: tech-net
Date: 05/10/2007 07:56:30
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 09, 2007 at 01:49:47PM -0700, Bill Stouder-Studenmund wrote:
> Transport mode IPsec plus GRE produces packets that look the same on the=
> wire as those from Tunnel mode IPsec. The difference is in the attached=
> policy. Transport mode + IP tunnelling lets you add all sorts of routing=
> on top of the tunnels.

Not just that; it also gives you several other benefits of having an
explicit interface to represent the tunnelling step separately from
the encryption step.  In particular, you get an explicit inside-tunnel
MTU and explicit inside-tunnel ipf/pf filtering/NAT rules.

One of the common reasons to want to use the same inner and outer GRE
address relates to INADDR_ANY source address selection (and listening
sockets) for programs on the box itself.  That can be worked around
with NAT on the gre interface, just as you would for ppp or any other
"WAN" interface where you don't really want to advertise/use the
link-segment address for application traffic (eg it belongs to your
isp and resolves to their PTR domain).


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.7 (NetBSD)