LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-08-2013, 10:57 PM   #1
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Rep: Reputation: 115Reputation: 115
Why does IPsec needs its own tunnel mode?


Why can't the tunnel mode of IPsec simply be another layer providing encapsulation? For example, if I have:

1. LAN#1 with subnet 172.24.0.0/16
2. Router#1 on LAN#1 with public IP 198.51.100.1
3. Router#2 on LAN#2 with public IP 203.0.113.1
4. LAN#2 with subnet 10.20.30.0/24

I cannot just route the 2 private subnets over the internet. I need to encapsulate them so that real routable IPs are the face of the packet, while the private IPs are just payload from the internet point of view. That's encapsulation.

Now all I need to do is have IPsec recognize that I want all traffic between 198.51.100.1 and 203.0.113.1 to be encrypted.

How is this not 2 distinct layers?
 
Old 02-09-2013, 06:09 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,985

Rep: Reputation: Disabled
IPsec tunnel mode IS a layer of encapsulation. The original datagram is encrypted, header and all, and encapsulated in an IP protocol 50 packet (IPsec ESP).

You could combine something like GRE and IPsec transport mode and achieve basically the same result.
 
Old 02-09-2013, 08:16 PM   #3
Skaperen
Senior Member
 
Registered: May 2009
Location: WV, USA
Distribution: Slackware, CentOS, Ubuntu, Fedora, Timesys, Linux From Scratch
Posts: 1,777
Blog Entries: 20

Original Poster
Rep: Reputation: 115Reputation: 115
Why isn't the encapsulation that IPsec has simply a separately defined protocol? Why is it "a part of" IPsec? Is it considered superior to other encapsulation protocols? Or is it specifically optimal for IPsec? Why is it considered a "mode" (transport vs. tunnel)? Can I have BOTH transported traffic (using public IP to public IP) as well as tunneled traffic (using private IP to private IP) on the same IPsec path?

I am interested in determining if it is possible to set up an IPsec encrypted tunnel for a VPN, where the point that IPsec encryption takes place is separate from where the tunnel endpoint (where encapsulation and decapsulation takes place). The following reprents 4 hosts, 2 LANs, and the Internet:

LAN#1----Encapsulator#1----Encryptor#1----(Internet)----Decryptor#2----Decapsulator#2----LAN#2

Last edited by Skaperen; 02-09-2013 at 08:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS IPSec Tunnel Mode with NAT-Traversal azrael808 Linux - Security 4 11-23-2012 03:37 PM
Strongswan - IPsec tunnel - can we have one way tunnel vishalwithme Linux - Networking 4 04-05-2012 12:07 AM
IPSec tunnel over multiple interfaces tylerl Linux - Networking 0 07-21-2005 05:07 PM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 04:54 PM
2.6 IPSEC Tunnel mode gateway mhiggins Linux - Networking 1 02-28-2004 01:50 PM


All times are GMT -5. The time now is 07:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration