This project is to modify the FreeS/WAN software to provide for multiple layers of encryption.
There are many situations in which a host may find itself being asked to encrypt twice. In most cases, this is because there are multiple tunnels to distinct end-points involved. At present, pluto and KLIPS are only able to set up a single IPsec SA to a given destination.
The following scenarios are expected to work: full-OE plus iOE and VPN+OE.
It can sometimes be the case that a laptop system, while wandering to a new location, will find itself being provided with gateway-based Opportunistic Encryption. Since it can not really tell that this is occuring (and it may not even be aware of it occuring), it will naturally want to provide its own end-to-end security.
The problem arises on the receiving end: it has to form a tunnel to the laptop, and then has to take these packets, and send them to the gateway.
Both policies can not currently be instantiated in the receiver. This problem is demonstrated by test case "co-terminal-01" in the current (HEAD) FreeS/WAN code, which is to be considered an acceptance test.
laptop ...... gateway ------ Internet ------- receiver
>===============================<
>===========================================<
It may be that the gateway and the receiver have some kind of VPN between them. If one gateway (gateway2) is OE enabled, and a machine behind the other gateway (gateway1) is also OE enabled, then when OE is attempted, the VPN will be by-passed - that is the more specific OE tunnel will be used, but the packet will not be processed a second time to apply the VPN tunnel. The result may be that the packet will not be accepted by the near gateway, since it did not come via the VPN.
The policy actually can be instantiated just fine, as the policies do not literally conflict - since the VPN is a more general policy. But the policies should be additivec, not exclusive in this case.
This situation may not seem that likely until one realizes that the laptop may in fact be using OE to build its own VPN (road-warrior) to gateway2, which is uses when it is travelling. When it has travelled to be behind gateway1, it suddenly had a problem. One would like to just leave "OE on" all the time.
laptop ...... gateway1 ------ Internet ------- gateway2 .... network2
/24 >===============================< /24
/32>=========================================< /32