From owner-freebsd-security Sun Aug 18 3:27:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 681F137B407 for ; Sun, 18 Aug 2002 03:27:03 -0700 (PDT) Received: from mxintern1.kundenserver.de (mxintern1.kundenserver.de [212.227.126.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AB3543E65 for ; Sun, 18 Aug 2002 03:27:03 -0700 (PDT) (envelope-from kiesel@schlund.de) Received: from [172.17.29.6] (helo=alex.i.schlund.de) by mxintern1.kundenserver.de with smtp (Exim 3.35 #1) id 17gNGw-0004El-00 for freebsd-security@FreeBSD.ORG; Sun, 18 Aug 2002 12:27:02 +0200 Received: (qmail 23162 invoked by uid 519); 18 Aug 2002 10:27:01 -0000 Date: Sun, 18 Aug 2002 12:26:42 +0200 From: Alex Kiesel To: Borja Marcos Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <20020818102642.GA23114@schlund.de> References: <200208041224.10309.borjamar@sarenet.es> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208041224.10309.borjamar@sarenet.es> User-Agent: Mutt/1.4i X-Binford: 6100 (more power) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Aug 04, 2002, Borja Marcos wrote: > On Friday 02 August 2002 23:47, Matthew Grooms wrote: > > Its only backwards if you are used to implimenting IPSEC communications > > in a non-giff'd confguration. As mentioned before, this is endorsed by > > many how-to's available. If you don't like this method, don't use it. I > > for one prefer the giffed alternative but will be more than happy to > > admit that the benifits appear to be mostly cosmetic. > > I am not using gif right now, but I see two important advantages. > > I suppose it will be possible to put firewall rules in a gif interface. > Imagine that you establish a tunnel with a not so trusted party, only for a > limited purpose. As I understand http://asherah.dyndns.org/~josh/ipsec-howto.txt, Topic 4: "The major change that is done is the use of the gif(4) device to get the routing correct. Note that traffic is *not* transported through the gif(4) tunnel! Instead the IPsec code in the kernel grabs the packets according to the specified policy and wraps them with the correct IP addresses for the IPsec tunnel. Effectively the packets receive new IP addresses which don't resemble a path through the gif tunnel." ... packets won't go through the gif-interface, so you cannot create firewall-rules based on the gif-interface (ok, you can - they won't get executed). Alex -- Alex Kiesel PGP Key: 0x09F4FA11 Schlund+Partner Entwicklung Unix The problem with troubleshooting is that trouble shoots back! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message