From owner-freebsd-net@FreeBSD.ORG Fri Jun 15 04:22:19 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5348D1065674 for ; Fri, 15 Jun 2012 04:22:19 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [128.127.144.4]) by mx1.freebsd.org (Postfix) with ESMTP id B44F58FC1A for ; Fri, 15 Jun 2012 04:22:18 +0000 (UTC) Received: from bsdrookie.norma.com. ([IPv6:fd00::7fc]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id q5F4MEBY050850 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 15 Jun 2012 10:22:15 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4FDAB876.8040400@norma.perm.ru> Date: Fri, 15 Jun 2012 10:22:14 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20111001 Thunderbird/7.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4FD236D4.6090409@norma.perm.ru> <20120609170721.GA40355@felucia.tataz.chchile.org> <4FD98EC1.50200@norma.perm.ru> <20120614155748.GC40355@felucia.tataz.chchile.org> In-Reply-To: <20120614155748.GC40355@felucia.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [IPv6:fd00::30a]); Fri, 15 Jun 2012 10:22:16 +0600 (YEKT) X-Spam-Status: No hits=-97.8 bayes=0.5 testhits RDNS_NONE=1.274, SPF_SOFTFAIL=0.972,USER_IN_WHITELIST=-100 autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru Subject: Re: if_ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 04:22:19 -0000 Hi. On 14.06.2012 21:57, Jeremie Le Hen wrote: > Not at all, I read the whole mail thoroughly actually :-). But I don't > work on Cisco/Junipers equipements so I didn't exactly grasp what you > meant. > > Okay. Actually, the whole idea is to 'simplify'. The conventional way of creating IPSec makes you do a lot of stuff: creating policies, creating tunnel interfaces, creating isakmp phase 1 and phase 2 proposals. Cisco/Juniper equipment is pretty capable of doing all of this stuff too (if you want fine-grained control), but by defaults they got rid of all of this configuration, it works with defaults, and works fine. And the gre setup is especially complicated when it comes to Juniper, because they totally got rid of the policing mechanism, and there's no way in JunOS (at least in 10.x-12.1) to define a policy about 'what kind of traffic to encrypt with IPSec' like you can do in Linux/*BSD/Cisco. So I'm afraid Cisco can lose this ability too. It is still possible to build a FreeBSD - Juniper gre/ipsec tunnel (and I'm using them), but it requires a twisted hack with routing on the Juniper side, and a pair of _additional_ IP addresses. So, complicated stuff on one side, ipsec interfaces (and some default configs) on the other. Eugene.