From owner-freebsd-questions  Tue Dec 10 15:11:59 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D36C437B401
	for <freebsd-questions@freebsd.org>; Tue, 10 Dec 2002 15:11:58 -0800 (PST)
Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7824E43EC2
	for <freebsd-questions@freebsd.org>; Tue, 10 Dec 2002 15:11:58 -0800 (PST)
	(envelope-from jwalters_1@yahoo.com)
Received: from 24-216-194-242.charter.com (HELO yahoo.com) (jwalters?1@24.216.194.242 with plain)
  by smtp.mail.vip.sc5.yahoo.com with SMTP; 10 Dec 2002 23:11:57 -0000
Date: Tue, 10 Dec 2002 18:11:56 -0500
Subject: Re: IPsec on a NAT gateway
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v548)
Cc: freebsd-questions@freebsd.org
To: Dru <dlavigne6@cogeco.ca>
From: Jeff Walters <jwalters_1@yahoo.com>
In-Reply-To: <20021210122319.T41610-100000@dhcp-17-14.kico2.on.cogeco.ca>
Message-Id: <C738AB10-0C94-11D7-A833-00039342A52C@yahoo.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.548)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


On Tuesday, Dec 10, 2002, at 12:25 US/Eastern, Dru wrote:

> The configuration you describe is still considered tunnel mode, even
> though it looks part transport / part tunnel mode. Tunnel mode occurs
> whenever a gateway encrypts on behalf of a network. Typical tunnels 
> have
> gateways at both ends, however it is possible to have a gateway at one 
> end
> and a single machine at the other.

Thanks for the insight.  I will look more closely at the tunnel mode.

I'm wondering if it isn't a better idea to use the FreeBSD box itself 
as the wireless access point, though it would require me buying a 
wireless card.  Even with notebook-to-gateway IPsec someone could still 
bridge into my LAN through the Airport base station by breaking WEP and 
emulating my MAC address.  Whereas if the wireless access point was on 
the FreeBSD gateway box I could set up the wireless side like an IPsec 
VPN, and set up firewall rules to protect my wired LAN.

Thanks for the responses.

Jeff


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message