From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 15:26:53 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A9E716A41F for ; Wed, 28 Dec 2005 15:26:53 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from mallaury.nerim.net (smtp-103-wednesday.noc.nerim.net [62.4.17.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E65543D70 for ; Wed, 28 Dec 2005 15:26:49 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.nerim.net (Postfix) with ESMTP id 55FDD4F3EB; Wed, 28 Dec 2005 16:26:37 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id BA51AC8B2; Wed, 28 Dec 2005 16:26:44 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68408-10; Wed, 28 Dec 2005 16:26:43 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 32F76C8AE; Wed, 28 Dec 2005 16:26:43 +0100 (CET) To: Brian Candler From: Eric Masson In-Reply-To: <20051228143817.GA6898@uk.tiscali.com> (Brian Candler's message of "Wed, 28 Dec 2005 14:38:17 +0000") References: <20051228143817.GA6898@uk.tiscali.com> X-Operating-System: FreeBSD 5.4-RELEASE-p2 i386 Date: Wed, 28 Dec 2005 16:26:43 +0100 Message-ID: <86lky5p7ik.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 15:26:53 -0000 Brian Candler writes: Hi, > The IPSEC documentation at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is > pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. Well transport mode is sufficient and imho logical in this setup, that's right. > ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. > Do people here generally agree ? No. gif/gre tunnels and ipsec transport mode are quite convenient when associated with dynamic routing protocols. Adding a section about pure ipsec tunnels would be a better approach (check handbook cvs history, iirc, ipsec tunnels were described in a previous version) Éric Masson -- Je vous ferez remarquer chers câblés et très très chères câblées qu'un simple message INNOCENT (j'insiste) a engendré près de 10 réponses !!! -+- PC in : Tous coupables, tous. -+-