IPSEC in tunnel mode ( possible? )

[Crist J. Clark]

On Wed, Oct 29, 2003 at 06:15:40PM -0200, Nucleo de Pesquisa e Desenvolvimento wrote:
>    Hi everyone,
> 
>    I know it is kind an off-topic question but maybe another network admin
> have already faced the following:
> 
>       client--[__ipsec__]--gw--[__ip__]--internet
> 
>    I, trying to secure a wireless link, want to have my clients using
> ipsec on the segment between the gateway gw and the machine itself even
> when the traffic is to the internet and not only to the gateway ( what
> works fine in transport mode anyway ). The clients are windows
> machines.
>    Accordingly to Microsoft 252735 tunnel is possible when a windows is
> acting as a gateway, not our scenario where machines are only
> clients...

Sometimes you read something and you just wanna pound someone so, so
hard with a clue bat,

  "Windows 2000 IPSec tunneling is not supported for client remote
   access VPN use because the IETF IPSec RFCs do not currently provide
   a remote access solution in the Internet Key Exchange (IKE) protocol
   for client-to-gateway connections."

First, IPsec is a peer-to-peer protocol. There are no clients and
servers, only peers. Second, IKE is not part of IPsec. IKE is a nice
standard for setting up IPsec SAs, but it is not required and is not
the only way to set up SAs. Third, there are plenty of ways to do
IKE authentication in a "cleint-to-server-like" fashion. A zillion
other vendors have somehow managed to figure this out, M$.

>    Any one could point me to some url or send me keywords I should look
> for please? If things won?t work with ipsec I?ll do it with MPD... but
> I still should have ask it here.

FWIW, I ended up using mpd for Windows machines this exact same
scenario.
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org