Date: Wed, 28 Dec 2005 16:04:04 +0100 From: Phil Regnauld <regnauld@catpipe.net> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation Message-ID: <20051228150404.GA49024@moof.catpipe.net> In-Reply-To: <20051228143817.GA6898@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler (B.Candler) writes: > The IPSEC documentation at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is > pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. > This is a really strange approach which is almost guaranteed not to > interoperate with other IPSEC gateways. It's probably for FreeBSD <-> FreeBSD setups, where it might make sense to have an interface endpoint, rather than the "transparent" IPsec approach -- otherwise it's not possible to route via the remote endpoint, or apply filters at interface level before leaving the gateway. > with a different protocol then you only need IPSEC transport mode, not > tunnel mode) Yes, here using tunnel is indeed odd, it would make more sense of using IPIP or just GRE in transport mode. > ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. > Do people here generally agree? If so I'll try to find the time to modify > it. Or present both setups. If you do it, I'll contribute and review. Phil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051228150404.GA49024>