From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 14:38:28 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1094B16A41F for ; Wed, 28 Dec 2005 14:38:28 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C31743D6E for ; Wed, 28 Dec 2005 14:38:20 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id EAE19C1 for ; Wed, 28 Dec 2005 09:38:40 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id C39131FC8 for ; Wed, 28 Dec 2005 09:38:40 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1ErcRV-0001np-B2 for freebsd-net@freebsd.org; Wed, 28 Dec 2005 14:38:17 +0000 Date: Wed, 28 Dec 2005 14:38:17 +0000 From: Brian Candler To: freebsd-net@freebsd.org Message-ID: <20051228143817.GA6898@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 14:38:28 -0000 The IPSEC documentation at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) encapsulation and THEN encapsulate that again using IPSEC tunnel mode. e.g. notice where it shows spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require; spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require; ... ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D ('ipencap' is IP protocol 4, aka RFC 2003 encapsulation). The diagram beneath makes this double-tunnelling explicit. This is a really strange approach which is almost guaranteed not to interoperate with other IPSEC gateways. (It might be useful if you were using etherip encapsulation and attempting to bridge two remote networks, but that's not what it's doing either. In any case, if you're encapsulating with a different protocol then you only need IPSEC transport mode, not tunnel mode) ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. Do people here generally agree? If so I'll try to find the time to modify it. Regards, Brian.