Re: IPsec vs ssh

To: Thor Lancelot Simon <tls%panix.com@localhost>, John Nemeth <jnemeth%cue.bc.ca@localhost>
Subject: Re: IPsec vs ssh
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Fri, 15 Nov 2013 00:00:07 -0800

On Nov 14,  8:27pm, Thor Lancelot Simon wrote:
} On Mon, Nov 11, 2013 at 05:40:44PM -0800, John Nemeth wrote:
} > On Nov 12, 12:28pm, Darren Reed wrote:
} > } On 12/11/2013 7:48 AM, John Nemeth wrote:
} > } ...
} > } > } > } > Also, just encrypting icmp is next to useless.
} > } > } > } 
} > } > } > } Encrypting only icmp is perfect for testing until the 
configuration
} > } > } > } is correct and properly operationalised.
} > } > } > 
} > } > } >      True enough.  Does the tunnel come up and work?  Can you ping
} > } > } > both directions through the tunnel?
} > } > } 
} > } > } Almost.
} > } > 
} > } >      Then this is the real problem:  you don't have a viable tunnel.
} > } > 
} > } >      You might want to use "setkey -D" and/or "setkey -D -P" to
} > } > see what the kernel is seeing.
} > } 
} > } Why do I need a tunnel?
} > 
} >     A tunnel is basically encapsulation of any sort.  So, when you
} 
} Wrong, wrong, wrong.  IPsec has separate tunnel and transport modes.

     If you had been following the thread, and seen the configuration
examples you would have seen that he was using IPSec in tunnel
mode.  Transport mode, of course, doesn't encapsulate the packet;
it simply adds an ESP header (and encrypts the data portion) or an
AH header.  Regardless of this, the statement that, "A tunnel is
basically encapsulation of any sort," stands on it's own, and is
correct.  NOT WRONG!!!

}-- End of excerpt from Thor Lancelot Simon

Follow-Ups:
- Re: IPsec vs ssh
  - From: Thor Lancelot Simon

References:
- Re: IPsec vs ssh
  - From: Thor Lancelot Simon

Prev by Date: Re: IPsec vs ssh
Next by Date: Re: cubic patch
Previous by Thread: Re: IPsec vs ssh
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index