| Author |
IP-in-IP Tunnel in RRAS?
|
|
| Tech Ranger 2003-11-24, 9:40 am |
| In the cbtnuggets videos, Dan seems to say that the feature in RRAS that allows you to create a tunnel between 2 routers which traverse a public link provides some kind of security. The tunnel uses IP-in-IP. There is no security to that, is there? | |
| jeff_j_black 2003-11-24, 6:11 pm |
| I think that encrypted packets would be encapsulated in normal IP packets transmitted between the routers. | |
| Tech Ranger 2003-11-24, 8:17 pm |
| You are saying that IP-in-IP does encryption? | |
| Rock642 2003-11-24, 9:07 pm |
| An IP-in-IP sends IP packets in a tunneled mode, and tunneling encapsultes the IP datagram with an with an additional IP header. | |
| Tech Ranger 2003-11-24, 9:17 pm |
| quote:
Originally posted by Rock642
An IP-in-IP sends IP packets in a tunneled mode, and tunneling encapsultes the IP datagram with an with an additional IP header.
Yes, I know that. My question is whether there is any security. To me security means encryption. Cbtnuggets suggests that the tunnel is good for links between routers that connect with shared media. To me, IP-in-IP tunneling would be good for traffic that could not otherwise pass through the router such as multicasts and the like. I would also ask whether it is possible to incorporate IPSEC into such a tunnel, and if so, how? | |
| Rock642 2003-11-25, 1:00 am |
| I see said the blind man, sorry I miss understood your question. IPSec does not support multicast. For security with multicast traffic you would need to use a VPN router like cisco's 830 series which uses V3PN that would support multicast traffic accross a VPN. | |
| curiousgeorge 2003-11-25, 3:10 am |
| Ip-in-IP tunneling is almost like NAT in a sense. The outer IP packet that is exposed contains the IP source and endpoint addresses of the routers. The inner IP addresses hold the true IP addresses of the computers. So, in effect, you are hiding the true source and destination addresses like NAT.
IPSec should be added for security. | |
| curiousgeorge 2003-11-26, 2:06 am |
| IPSec can be configured on each individual machine or through group policy.
IPSec is an hour long discussion in itself.
To configure IPSec on an individual machine:
-go to the Properties of your NIC
-then go to the Properties of TCP/IP
-click the Advanced button
-go to the Options tab
-go to the Properities of IP security
-choose "Use this IP security policy" and choose which one you want.
Isn't that easy!
W2K comes with 3 default policies. You can also customize a policy to fit your needs.
You must enable IPSec on both endpoint computers for it to work.
Hope that helps. | |
|
|
|
|