tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPsec vs ssh

Darren Reed <> writes:

> On 12/11/2013 12:40 PM, John Nemeth wrote:

>>     A tunnel is basically encapsulation of any sort.  So, when you
>> encapsulate any of kind of packet with an IPSec (ESP) wrapper, you
>> have essentially created a tunnel.

If you use tunnel mode, yes.  One can also use transport mode, where
IP:TCP is replaced by IP:ESP[TCP] (note that there is no outer header and
the original header is not inside the ESP payload.   But in the modern
world, that's odd.

> Ah, ok, then yes, the tunnel is created by the SPD in ipsec.conf.
> I wasn't sure if you were referring to a gif, etc, style of tunnel.

Exactly; it's internal to the IPsec implementation.

> FWIW, I get 3 out of 4 "IPsec-SA established" messages. Unfortunately
> unless you get all four, it does not work.

That's a huge clue. I would turn up racoon debugging.

Attachment: pgpSxHFfMKabp.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index