tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPsec vs ssh
On Nov 14, 8:27pm, Thor Lancelot Simon wrote:
} On Mon, Nov 11, 2013 at 05:40:44PM -0800, John Nemeth wrote:
} > On Nov 12, 12:28pm, Darren Reed wrote:
} > } On 12/11/2013 7:48 AM, John Nemeth wrote:
} > } ...
} > } > } > } > Also, just encrypting icmp is next to useless.
} > } > } > }
} > } > } > } Encrypting only icmp is perfect for testing until the
configuration
} > } > } > } is correct and properly operationalised.
} > } > } >
} > } > } > True enough. Does the tunnel come up and work? Can you ping
} > } > } > both directions through the tunnel?
} > } > }
} > } > } Almost.
} > } >
} > } > Then this is the real problem: you don't have a viable tunnel.
} > } >
} > } > You might want to use "setkey -D" and/or "setkey -D -P" to
} > } > see what the kernel is seeing.
} > }
} > } Why do I need a tunnel?
} >
} > A tunnel is basically encapsulation of any sort. So, when you
}
} Wrong, wrong, wrong. IPsec has separate tunnel and transport modes.
If you had been following the thread, and seen the configuration
examples you would have seen that he was using IPSec in tunnel
mode. Transport mode, of course, doesn't encapsulate the packet;
it simply adds an ESP header (and encrypts the data portion) or an
AH header. Regardless of this, the statement that, "A tunnel is
basically encapsulation of any sort," stands on it's own, and is
correct. NOT WRONG!!!
}-- End of excerpt from Thor Lancelot Simon
Home |
Main Index |
Thread Index |
Old Index