From owner-freebsd-net Wed Feb 21 23: 9: 7 2001 Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 6529D37B401 for ; Wed, 21 Feb 2001 23:09:04 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id QAA23478; Thu, 22 Feb 2001 16:08:44 +0900 (JST) To: Kris Kennaway Cc: Stephen Cimarelli , freebsd-net@freebsd.org In-reply-to: kris's message of Wed, 21 Feb 2001 22:53:55 PST. <20010221225355.A68921@mollari.cthul.hu> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Help with IPSEC From: itojun@iijlab.net Date: Thu, 22 Feb 2001 16:08:44 +0900 Message-ID: <23476.982825724@coconut.itojun.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> * Most users seem to use gif devices to setup the tunnels instead of IPsec >> tunnels, Why? >gif is the name of the device used to implement tunneling. >> What ports/protocols do I need to allow through a firewall to allow gif and >> IPsec to work? >gif isn't a protocol, it's an interface name. Check /etc/protocols >for the protocol number of the AH and ESP protocols, which IPSEC uses >depending on which mode you run it in. summary: if you would like to interoperate with other devices, use IPsec tunnel mode policy, not gif. IPsec tunnel is specified in RFC2401. gif works as specified in RFC1993. if you configure an IPsec tunnel by using IPsec policy (like "spdadd foo baa tunnel"), the encapsulation will strictly conform to RFC2401. you can create a similar packet by using IPsec transport mode against gif-encapsulated packet, however, it does not look exactly the same. if the other end is picky about packet format, they may drop it because it does not conform to RFC2401. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message