On 1/17/06, Peter <[EMAIL PROTECTED]> wrote: > 2. What is the use of forcing IP-in-IP (-forcetunnel) when setting up an > SA? The vpn manpage example does this without explanation.
So that it won't use transport mode, which may be the default? If you're setting up a vpn, you have more than one computer "visible" at one end (or both). You need to encapsulate the whole packet if you are to get it to the right machine, because with transport mode it gets delivered to the machine which decrypts/authenticates it. So VPNs always use tunnel mode. I believe Schneier & co. showed that tunnel mode was sufficient, and that it'd be simpler to just have that. I remember reading somewhere else that someone showed transport mode was sufficient, too. -- "The generation of random numbers is too important to be left to chance." -- Robert Coveyou -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
