Date: Thu, 22 Feb 2001 16:08:44 +0900 From: itojun@iijlab.net To: Kris Kennaway <kris@obsecurity.org> Cc: Stephen Cimarelli <stephen@clari.net.au>, freebsd-net@freebsd.org Subject: Re: Help with IPSEC Message-ID: <23476.982825724@coconut.itojun.org> In-Reply-To: kris's message of Wed, 21 Feb 2001 22:53:55 PST. <20010221225355.A68921@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
>> * Most users seem to use gif devices to setup the tunnels instead of IPsec >> tunnels, Why? >gif is the name of the device used to implement tunneling. >> What ports/protocols do I need to allow through a firewall to allow gif and >> IPsec to work? >gif isn't a protocol, it's an interface name. Check /etc/protocols >for the protocol number of the AH and ESP protocols, which IPSEC uses >depending on which mode you run it in. summary: if you would like to interoperate with other devices, use IPsec tunnel mode policy, not gif. IPsec tunnel is specified in RFC2401. gif works as specified in RFC1993. if you configure an IPsec tunnel by using IPsec policy (like "spdadd foo baa tunnel"), the encapsulation will strictly conform to RFC2401. you can create a similar packet by using IPsec transport mode against gif-encapsulated packet, however, it does not look exactly the same. if the other end is picky about packet format, they may drop it because it does not conform to RFC2401. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23476.982825724>