Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Feb 2001 16:08:44 +0900
From:      itojun@iijlab.net
To:        Kris Kennaway <kris@obsecurity.org>
Cc:        Stephen Cimarelli <stephen@clari.net.au>, freebsd-net@freebsd.org
Subject:   Re: Help with IPSEC
Message-ID:  <23476.982825724@coconut.itojun.org>
In-Reply-To: kris's message of Wed, 21 Feb 2001 22:53:55 PST. <20010221225355.A68921@mollari.cthul.hu>

next in thread | previous in thread | raw e-mail | index | archive | help

>> * Most users seem to use gif devices to setup the tunnels instead of IPsec
>> tunnels, Why?
>gif is the name of the device used to implement tunneling.
>> What ports/protocols do I need to allow through a firewall to allow gif and
>> IPsec to work?
>gif isn't a protocol, it's an interface name.  Check /etc/protocols
>for the protocol number of the AH and ESP protocols, which IPSEC uses
>depending on which mode you run it in.

	summary: if you would like to interoperate with other devices,
	use IPsec tunnel mode policy, not gif.


	IPsec tunnel is specified in RFC2401.  gif works as specified in
	RFC1993.

	if you configure an IPsec tunnel by using IPsec policy (like "spdadd
	foo baa tunnel"), the encapsulation will strictly conform to RFC2401.

	you can create a similar packet by using IPsec transport mode against
	gif-encapsulated packet, however, it does not look exactly the same.
	if the other end is picky about packet format, they may drop it
	because it does not conform to RFC2401.

itojun

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23476.982825724>