OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?)

• Previous message (by thread): VPN recommendations?
• Next message (by thread): OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Bill,

On 2/12/22 8:55 PM, William Herrin wrote:
> It's tunnel mode plus a tunneling protocol plus some implicit routing 
> and firewalling which gets in the way of dynamic routing.

I assume you meant to say that it's /transport/ mode plus a tunneling 
protocol.

I wonder if you are thinking more of an IPSec VPN management suite of 
sorts, e.g. wizard / helper that is included in some devices.  I'm 
thinking at a very low (manual) level.  The "implicit routing" and 
"firewalling" are the strongest indicators of this to me.  The manual 
IPSec that I've done on Linux (via the `ip xfrm` command) doesn't touch 
firewalling and I believe that addresses inside the tunnel would be 
completely separate operations / commands.

> Try it if you don't believe me. Set up tunnel mode ipsec manually on 
> two nodes (no IKE) and get them talking to each other. Then change 
> one to transport mode and add I think it's an IPIP tunnel but I don't 
> remember for certain. And add the appropriate routes into the tunnel 
> virtual device. You'll find they talk.

Unfortunately I don't have the leisure time to do this experimentation 
currently.  As such I'm going to put this on my to-do pile for future 
investigation ~> follow up.

I do not recall reading about IPSec /Tunnel/ mode re-using an existing 
tunneling protocol; IPIP, etc.  Perhaps I'm misremembering.  Perhaps it 
inherently does so without declaring as such.

> What did you think IPSec was doing? Transport mode encrypts the layer 
> 4 and up of the packet between two machines; it doesn't encapsulate 
> it. When they added tunnel mode, the inner layer 3 had to go somewhere.

My understanding is that /Transport/ mode applies AH (no encryption) and 
/ or ESP (encryption) to L4 datagrams and that /Tunnel/ mode does the 
same to L3 packets.

P.S.  I'm sending this reply to NANOG in case anyone else has any 
contribution / comments.  I suspect any future reply will be directly to 
Bill as this is getting further off topic, both for NANOG in general and 
for this VPN recommendations thread.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220215/b3ff6823/attachment.bin>

• Previous message (by thread): VPN recommendations?
• Next message (by thread): OT: IPSec Transport vs Tunnel modes (Was: VPN recommendations?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]