Usually when firewalls talk together it is to form a Virtual Private
Network (VPN). One of the main goals is for confidentiality (privacy)
of the data being transmitted between the sites - this involves
encryption. Firewalls can make use of standards like those in the
IPSEC working group of the IETF
or they can use proprietary encryption methods. Those are generally
going away as most Firewall vendors are promoting interoperability.
Take a look at the S/WAN project
These firewalls are using the Tunnel Mode of the Encapsulating
Security Payload (ESP) from RFC-1827
As long as you're working with a single firewall vendor, they should
be able to encapsulate/decapsulate any protocol, although I've not
heard of many that support anything other than IP. If you're not, then
you're going to want some standards like MobileIP
and stuff like RFC-2003 and 2004.
If your firewall doesn't support the protocol that you want transported,
then you're going to have to find some other way. For instance, if
you're trying to transport IPX, then you may find that the best way is
to enable the TCP/IP drivers on your clients and servers so they can
natively use this protocol. If you don't want to do that, there are
devices which can encapsulate the protocol of your choice within IP,
and hand it off to your firewall. The firewall will need to recognize
that this traffic needs to be sent to the partner firewall. You may
want to look at Generic Route Encapsulation (I think that this is a
standard but I can't find the reference), Data Link Switching (DLSw -
a standard), or RSRB (Remote Source Route Bridging - precursor to
DLSw, Cisco does it in a proprietary manner.) Each of these
encapsulates stuff into IP packets for transport.
If you're crossing an untrusted network (e.g. - the Internet), then
I would NOT link the encapsulating/decapsulating device directly to
the Internet. I'd place it behind the firewall to minimize exposed
devices. Be aware that performance may be bad since you're going
Hope this helps,
Houston, TX, USA
At 05:10 AM 4/30/97 -0500, Sandeep Kumar Talwar wrote:
>Ip tunnelling is encapsulating IP packets or some other protocol packets
>such as IPX etc.Is this right?
>Then when two firewalls talk to each other we say that an IP-tunnel has
>been established.Is this also correct?
>Where actually does IP-tunnelling take place.Is it the router.
>Can we have IP-Tunnelling other than with the help of Firewall.I heard
>about Ioannidis swipe protocol.
>Any advise on my queries would be greatly appreciated.
>Thanks in advance.