Re: VPN recommendations?

[William Herrin <bill () herrin us>]

On Sat, Feb 12, 2022 at 12:26 PM Grant Taylor via NANOG <nanog () nanog org> wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and
> > but you can deconstruct it: it's built up from transport mode +
> > a tunnel protocol (gre or ipip I don't remember which) + implicit
> > routing and firewalling which wreaks havoc on dynamic routing.
>
> I question the veracity of that statement.  It may be that's what many
> implementations / administration systems do.  But I really thought that
> IPSec /Tunnel/ Mode was more than just IPSec /Transport/ Mode combined
> with some tunneling protocol.

It's tunnel mode plus a tunneling protocol plus some implicit routing
and firewalling which gets in the way of dynamic routing.

Try it if you don't believe me. Set up tunnel mode ipsec manually on
two nodes (no IKE) and get them talking to each other. Then change one
to transport mode and add I think it's an IPIP tunnel but I don't
remember for certain. And add the appropriate routes into the tunnel
virtual device. You'll find they talk.

What did you think IPSec was doing? Transport mode encrypts the layer
4 and up of the packet between two machines; it doesn't encapsulate
it. When they added tunnel mode, the inner layer 3 had to go
somewhere.

Regards,
Bill Herrin

-- 
William Herrin
bill () herrin us
https://bill.herrin.us/