From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 15:04:10 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2832716A41F for ; Wed, 28 Dec 2005 15:04:10 +0000 (GMT) (envelope-from regnauld@moof.catpipe.net) Received: from moof.catpipe.net (moof.catpipe.net [195.249.214.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7284443D62 for ; Wed, 28 Dec 2005 15:04:08 +0000 (GMT) (envelope-from regnauld@moof.catpipe.net) Received: from localhost (localhost [127.0.0.1]) by localhost.catpipe.net (Postfix) with ESMTP id E29811B385; Wed, 28 Dec 2005 16:04:06 +0100 (CET) Received: from moof.catpipe.net ([127.0.0.1]) by localhost (moof.catpipe.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48997-08; Wed, 28 Dec 2005 16:04:04 +0100 (CET) Received: by moof.catpipe.net (Postfix, from userid 1001) id 359EB1B398; Wed, 28 Dec 2005 16:04:04 +0100 (CET) Date: Wed, 28 Dec 2005 16:04:04 +0100 From: Phil Regnauld To: Brian Candler Message-ID: <20051228150404.GA49024@moof.catpipe.net> References: <20051228143817.GA6898@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051228143817.GA6898@uk.tiscali.com> X-Operating-System: FreeBSD 4.8-STABLE i386 Organization: catpipe Systems ApS User-Agent: Mutt/1.5.6i X-Virus-Scanned: amavisd-new at catpipe.net Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 15:04:10 -0000 Brian Candler (B.Candler) writes: > The IPSEC documentation at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is > pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. > This is a really strange approach which is almost guaranteed not to > interoperate with other IPSEC gateways. It's probably for FreeBSD <-> FreeBSD setups, where it might make sense to have an interface endpoint, rather than the "transparent" IPsec approach -- otherwise it's not possible to route via the remote endpoint, or apply filters at interface level before leaving the gateway. > with a different protocol then you only need IPSEC transport mode, not > tunnel mode) Yes, here using tunnel is indeed odd, it would make more sense of using IPIP or just GRE in transport mode. > ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. > Do people here generally agree? If so I'll try to find the time to modify > it. Or present both setups. If you do it, I'll contribute and review. Phil