{"id":99,"date":"2009-12-23T04:41:34","date_gmt":"2009-12-23T11:41:34","guid":{"rendered":"http:\/\/www.analogrithems.com\/rant\/?p=99"},"modified":"2011-08-25T19:55:14","modified_gmt":"2011-08-26T02:55:14","slug":"ipsec-over-ipsec","status":"publish","type":"post","link":"https:\/\/www.analogrithems.com\/rant\/ipsec-over-ipsec\/","title":{"rendered":"ipsec over ipsec"},"content":{"rendered":"<p>So it turns out that you can&#8217;t pass one vpn using ipsec through another vpn using ipsec.\u00c2\u00a0 Why, well i&#8217;ve spent some time trying to figure this out the last few days and have discovered that they are taking each others packets apart.<\/p>\n<p>VPN that use ipsec for a site to site connection encapsulate packets into udp packets.\u00c2\u00a0 These udp packets are then sent across the network to the other side where the receiving device unpacks the udp packet and then decrypts it.\u00c2\u00a0 Typically the carrier media that connects your two vpn devices is the internet.\u00c2\u00a0 But if your media connecting your two devices is a network that also uses a VPN you run into a major problem.\u00c2\u00a0 The carrier network will start to unpack your packets meant for the other side and start throwing icmp type 3 (Host Unreachable) errors back to the vpn device.<\/p>\n<p>Now if you are using cisco routers for the carrier network fiber you can actually tell it that traffic from your vpn devices should be excluded from the vpn tunnel and instead be sent in clear.\u00c2\u00a0 This way those packets to the other side of the vpn and never get double encrypted, fragmented or any other bad ness.\u00c2\u00a0 A great article explaining crypto acls for Cisco routers is http:\/\/www.thebryantadvantage.com\/CCNPCertificationBCRANExamVPNCryptoAccessLists.htm<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So it turns out that you can&#8217;t pass one vpn using ipsec through another vpn using ipsec.\u00c2\u00a0 Why, well i&#8217;ve spent some time trying to figure this out the last few days and have discovered that they are taking each others packets apart. VPN that use ipsec for a site to site connection encapsulate packets [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[],"class_list":["post-99","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/99","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":4,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/99\/revisions"}],"predecessor-version":[{"id":490,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/99\/revisions\/490"}],"wp:attachment":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/categories?post=99"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/tags?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}