On 18 apr 2006, at 10.59, Reyk Floeter wrote:
...
- set the flows for each peer. any direct communication
between the peers and the gateway will be bypassed (not
encrypted) to allow the ISAKMP key exchange (a more
complicated version is possible, i.e. with additional
static flows, the "proto" keyword, ...)
This is a RFC requirement, even. When negotiating, isakmpd(8) uses
setsockopt(2) to get the key exchange traffic to be transmitted as
cleartext, regardless of any flows configured to encrypt peer to peer
data.
Any other (non-IKE) traffic is handled normally, i.e may be encrypted.
For the main problem; it may be obvious but getting two WLAN hosts to
do IPsec between each other via one or more gateways requires them to
be on different subnets (as in Reyk's example). IPsec is very much an
IP protocol, all general "IP routing" rules applies. For the kernel
to encrypt/decrypt a packet is basically a routing decision (not by
the same mechanism as IP routing, though).
For two hosts on the same subnet, the "direct delivery" case applies,
and if one want's IPsec it has to be setup between the two, directly.
That said, it is probably possible to come up with some crazy design
to "permit" this anyway, but IMO the administrative requirements to
keep it working will easily outweigh any operational gain. I'd try to
reconsider the intended purpose and use of the WLAN network (why is
protected node-node traffic needed? Can we avoid this
requirement?) ... or I'd try to find a good(!) L2 tunneling technique.
/H