tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec vs ssh
On 12/11/2013 12:40 PM, John Nemeth wrote:
> On Nov 12, 12:28pm, Darren Reed wrote:
> } On 12/11/2013 7:48 AM, John Nemeth wrote:
> } ...
> } > } > } > Also, just encrypting icmp is next to useless.
> } > } > }
> } > } > } Encrypting only icmp is perfect for testing until the configuration
> } > } > } is correct and properly operationalised.
> } > } >
> } > } > True enough. Does the tunnel come up and work? Can you ping
> } > } > both directions through the tunnel?
> } > }
> } > } Almost.
> } >
> } > Then this is the real problem: you don't have a viable tunnel.
> } >
> } > You might want to use "setkey -D" and/or "setkey -D -P" to
> } > see what the kernel is seeing.
> }
> } Why do I need a tunnel?
>
> A tunnel is basically encapsulation of any sort. So, when you
> encapsulate any of kind of packet with an IPSec (ESP) wrapper, you
> have essentially created a tunnel.
Ah, ok, then yes, the tunnel is created by the SPD in ipsec.conf.
I wasn't sure if you were referring to a gif, etc, style of tunnel.
FWIW, I get 3 out of 4 "IPsec-SA established" messages. Unfortunately
unless you get all four, it does not work.
Kind Regards,
Darren
Home |
Main Index |
Thread Index |
Old Index