From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 19:29:10 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 876E8106566B for ; Tue, 22 Jun 2010 19:29:10 +0000 (UTC) (envelope-from ericx@ericx.net) Received: from qmta04.emeryville.ca.mail.comcast.net (qmta04.emeryville.ca.mail.comcast.net [76.96.30.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4968FC1B for ; Tue, 22 Jun 2010 19:29:10 +0000 (UTC) Received: from omta10.emeryville.ca.mail.comcast.net ([76.96.30.28]) by qmta04.emeryville.ca.mail.comcast.net with comcast id Z0z41e0040cQ2SLA47G0jT; Tue, 22 Jun 2010 19:16:00 +0000 Received: from smtp.ericx.net ([76.24.209.147]) by omta10.emeryville.ca.mail.comcast.net with comcast id Z7Fu1e0023BMG6c8W7FxnT; Tue, 22 Jun 2010 19:15:59 +0000 Received: from smtp.ericx.net (localhost.ericx.net [127.0.0.1]) by smtp.ericx.net (Postfix) with ESMTP id 09DF3129F0A7 for ; Tue, 22 Jun 2010 15:16:19 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=ericx.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=selector1; bh=zIXgOa6 hYtRvbz9Ut+B4OGdkOGI=; b=pvdDf8sTExlQ0cD7m5C+Ra9DH6mUfsC5z3NZHPz F0i3efBA/L0BLAnFG00oQs74fmmpRXRv+GbbZPLvgUnOhlmxJMUKTYHKw1jyROq+ +SWFv/9GLHYVOXStFjFItWEXR/QJRROAImxbeLQP5drSveFQV4cymY9CgvrJQHm1 P0ms= DomainKey-Signature: a=rsa-sha1; c=nofws; d=ericx.net; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=selector1; b=p 3GO1YOaGAWWb1EaOorelS07mYpV63H2xhKKdBEiREWH2ZVnnUFh+FKaRZDbeGkOc 7YO1z5qZSSvG7GF9FUIlDVCX/jS1At98nbr533ypphDJV9Hoxa7QvgqC7rur9FK6 gNQesmZXfxNcAwvBARTBX29LmIXUd1JsGq0Fip/6cQ= Received: from [10.0.0.54] (unknown [75.150.112.177]) by smtp.ericx.net (Postfix) with ESMTPSA id BB90B129F0A6 for ; Tue, 22 Jun 2010 15:16:18 -0400 (EDT) Message-ID: <4C210B0F.6060203@ericx.net> Date: Tue, 22 Jun 2010 15:12:15 -0400 From: "Eric W. Bates" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> In-Reply-To: <20100622182242.GU2620@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: vpn trouble X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 19:29:10 -0000 On 6/22/2010 2:22 PM, David DeSimone wrote: > Maciej Suszko wrote: >> >>> So as you write they should set: ?? >>> 10.20.0.1 (my ip on gif device)<-> 78.x<-> 95.x<-> 10.10.1.90 >>> (other side) >> >> Yes, indeed. >> >>> And additionaly I thing I should correct set spd policy to: >>> >>> spdadd 10.20.0.1 10.10.1.90 any -P out ipsec >>> esp/tunnel/78.x.x.x-95.x.x.x/require; >>> spdadd 10.10.1.90 10.20.0.1 any -P in ipsec >>> esp/tunnel/95.x.x.x-78.x.x.x/require; >>> >>> Am I wrong? >> >> No, you're right :) >> >> You can set up the tunnel first - check whether both 10. are accessible >> from both sides, then you "cover" communication between them with IPSEC. > > Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint > VPN equipment? In our tests we were able to use pure IPSEC tunnel > encapsulation to interoperate with these sorts of devices, so we never > found a need for GIF encapsulation. > I managed to do an IP in IP tunnel with IPsec encryption between a FreeBSD and a cisco router running 12.1(mumble) several years ago. It is a desirable option if you want to use routing (e.g. ospf). You can't route an IPSec tunnel (actually, is this now possible with enc0 interfaces?) but you can route to the gif interfaces. http://rfc-ref.org/RFC-TEXTS/3884/