Hekan, Thanks for your clarification on Reyk's explanation, and thank you Reyk too.
On 18/04/06, Hekan Olsson <[EMAIL PROTECTED]> wrote: > For the main problem; it may be obvious but getting two WLAN hosts to > do IPsec between each other via one or more gateways requires them to > be on different subnets (as in Reyk's example). Obvious to someone who has a decent understanding of TCP/IP, perhaps ;-) Obviously I am very much a novice! > IPsec is very much an > IP protocol, all general "IP routing" rules applies. For the kernel > to encrypt/decrypt a packet is basically a routing decision (not by > the same mechanism as IP routing, though). This was where I needed some assistance. Your explanation and Reyk's examples have clarified this for me. > > For two hosts on the same subnet, the "direct delivery" case applies, > and if one want's IPsec it has to be setup between the two, directly. > Yes, that makes sense to me now. I guess I was thinking something like a switched LAN, but thinking about that, a conventional switched ethernet LAN is insecure as well. > That said, it is probably possible to come up with some crazy design > to "permit" this anyway, but IMO the administrative requirements to > keep it working will easily outweigh any operational gain. I'd try to > reconsider the intended purpose and use of the WLAN network (why is > protected node-node traffic needed? Can we avoid this > requirement?) ... or I'd try to find a good(!) L2 tunneling technique. > My (perhaps rather naive) requirement is to create something similar to a WEP/WPA protected WLAN but using secure, open source tools instead of the insecure, poorly designed tools that abound. I'm reasonably confident now that I know the correct path to take. Many thanks again, Damon