Hi, The background to this question is this thread I raised in January:
http://marc.info/?t=126330232800003&r=1&w=1 I didn't have chance to continue with it then, but I had a need to revisit this recently so I dug up my notes again. I'm not sure how much of RFC 3884 [1] is actually pertinent to what I'm asking, but I'm basically wondering if it's possible to do what Stuart Henderson suggested in his last message, i.e. getting isakmpd to negotiate tunnel mode but actually setting up a transport mode SA with a peer on my OpenBSD host so that along with the encapsulation performed by the gif interface, the packet format ends up being the same as what the peer with its tunnel mode SA will send me. This I believe should fix the problem I initially discovered. I did notice in gif(4) this bit in BUGS: "For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode." FSVO "usually"? If this isn't currently possible, where would one start modifying code given there's isakmpd(8), ipsecctl(8), and now iked(8) on the horizon? Thanks Matt [1] http://www.faqs.org/rfcs/rfc3884.html