Site Navigation

Date:      Tue, 09 Apr 2002 10:04:55 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Dennis Pedersen <trm@daydreamer.dk>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPsec tunnel mode
Message-ID:  <3CB31F37.7020504@isi.edu>
References:  <MPENKFCCIIDAJKJJOLBHMEAJCNAA.tariq@inty.net> <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> <00a801c1dfaf$925aa750$0301a8c0@dpws> <3CB3146A.7080906@isi.edu> <003c01c1dfe6$8460e7e0$0301a8c0@dpws>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Dennis Pedersen wrote:
>>Setting up the other approach (IPIP tunnel + IPsec transport mode) works
>>by first setting up the tunnels (see the gifconfig/ifconfig man pages)
>>and stringing the topology together with route (route man page). No
>>other commands are needed. Once this works (i.e. you see correctly
>>encapsulated packets flow between your machines) you can then manually
>>configure IPsec transport mode SAs (via setkey) or use IKE.
>
> But the last document where the auther creates some alias to lo0 and runs
> natd on the gif interface isnt that the right way of doing it (lets just
> forget ipsec for now and look stricktly on IPIP) or?

The alias on loopback is simply working around a small bug with gif 
interfaces. (Normally you can ping the local address of a any interface; 
with KAME gifs you can't. The alias works around that.)

NAT is not required to make the overlay setup work. (The example you 
gave includes it so that overlay nodes with RFC1918 addresses can talk 
to the real Internet. This is an orthogonal issue.)

> According to what you are writing this isnt the way of doing it? (and there
> you seem to have lost me..)

There are TWO ways of doing this:

	1. IPsec tunnel mode
	- you don't need any gifs
	- you must use IPsec selectors to match & forward your traffic

	2. IPIP tunnels + transport mode
	- you do need gifs but ONLY with IPsec TRANSPORT mode SAs
	- you use regular routes to forward your traffic

Pick one.

> About the Kame Newsletters i belive to have read all of them that have
> relevance of �Psec, anything specifik im missing?
Configuring KAME for IPsec: manual keying
http://www.kame.net/newsletter/19980626/

Simple Configuration Sample of IPsec/Racoon
http://www.kame.net/newsletter/20001119/

Changed manual key configuration for IPsec
http://www.kame.net/newsletter/19991007/

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


���0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0��0��
�G0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0���������|\Pw��� �v����~��~�F
�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN�

�V0T0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00
	*�H��


����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ‡�l���=�u(Վ��M?cF��7@����}��T��0�)0���

0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
000830000000Z
020829235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��



��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i

�N0L0)U"0 �010UPrivateLabel1-2970U

�0

�
0U
0
	*�H��


��so&e��4KYb��D�I��
���
j&*b���ctm��S�K���8��P�:l4��撜n�#
�	��K�r�g�Po.X���PW�����Ո�����9[9}4���%Mj���Ñ/���<R���bH1��0��

0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0	+��
a0	*�H��

	1	*�H��


0	*�H��

	1
020409170455Z0#	*�H��

	1|�i' � �"������k.0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��*�H��

	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0
	*�H��



���Wkt��

&:K�ې���@֯k�uw;퀏Z0^�G���$�f�>&���m������Y����L1�ۺ��>%Du��J>�&���mhl*�L��j�dan )";�_�XG~�Zv��
׈=n֠86x

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB31F37.7020504>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact