Darren Reed <darrenr%netbsd.org@localhost> writes: > On 12/11/2013 12:40 PM, John Nemeth wrote: >> A tunnel is basically encapsulation of any sort. So, when you >> encapsulate any of kind of packet with an IPSec (ESP) wrapper, you >> have essentially created a tunnel. If you use tunnel mode, yes. One can also use transport mode, where IP:TCP is replaced by IP:ESP[TCP] (note that there is no outer header and the original header is not inside the ESP payload. But in the modern world, that's odd. > Ah, ok, then yes, the tunnel is created by the SPD in ipsec.conf. > I wasn't sure if you were referring to a gif, etc, style of tunnel. Exactly; it's internal to the IPsec implementation. > FWIW, I get 3 out of 4 "IPsec-SA established" messages. Unfortunately > unless you get all four, it does not work. That's a huge clue. I would turn up racoon debugging.
Description: PGP signature