From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 18:41:14 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68B8B1065673 for ; Tue, 22 Jun 2010 18:41:14 +0000 (UTC) (envelope-from maciej@suszko.eu) Received: from mail.suszko.eu (suszko.eu [174.136.96.226]) by mx1.freebsd.org (Postfix) with ESMTP id 4CD3F8FC24 for ; Tue, 22 Jun 2010 18:41:14 +0000 (UTC) Received: from oxygen.suszko.eu (localhost [127.0.0.1]) by mail.suszko.eu (Postfix) with ESMTP id 4B9D13F474; Tue, 22 Jun 2010 18:33:22 +0000 (UTC) X-Virus-Scanned: amavisd-new using ClamaAV Received: from gda-arsenic (unknown [62.61.57.118]) by mail.suszko.eu (Postfix) with ESMTPSA id 4BF693F473; Tue, 22 Jun 2010 18:33:21 +0000 (UTC) Date: Tue, 22 Jun 2010 20:41:07 +0200 From: Maciej Suszko To: Message-ID: <20100622204107.6c604c17@gda-arsenic> In-Reply-To: <20100622182242.GU2620@verio.net> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; amd64-portbld-freebsd8.1) Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/5C5DXajOX0hCikxqryYx.Zy"; protocol="application/pgp-signature" Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 18:41:14 -0000 --Sig_/5C5DXajOX0hCikxqryYx.Zy Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable "David DeSimone" wrote: > Maciej Suszko wrote: > > > > > So as you write they should set: ?? > > > 10.20.0.1 (my ip on gif device) <-> 78.x <-> 95.x <-> 10.10.1.90 > > > (other side) > >=20 > > Yes, indeed. > >=20 > > > And additionaly I thing I should correct set spd policy to: > > >=20 > > > spdadd 10.20.0.1 10.10.1.90 any -P out ipsec > > > esp/tunnel/78.x.x.x-95.x.x.x/require; > > > spdadd 10.10.1.90 10.20.0.1 any -P in ipsec > > > esp/tunnel/95.x.x.x-78.x.x.x/require; > > >=20 > > > Am I wrong? > >=20 > > No, you're right :) > >=20 > > You can set up the tunnel first - check whether both 10. are > > accessible from both sides, then you "cover" communication between > > them with IPSEC. >=20 > Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint > VPN equipment? In our tests we were able to use pure IPSEC tunnel > encapsulation to interoperate with these sorts of devices, so we never > found a need for GIF encapsulation. I'm not sure what's on the other side, AFAIK some hardware solution. --=20 regards, Maciej Suszko. --Sig_/5C5DXajOX0hCikxqryYx.Zy Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkwhA8YACgkQCikUk0l7iGrkAACfdRvHx0bJoS8YaKANcCo+atxB kOUAoIf0PmOku+P994nEvUalXWPa5eMA =A7S8 -----END PGP SIGNATURE----- --Sig_/5C5DXajOX0hCikxqryYx.Zy--