From owner-freebsd-net  Fri Nov  9  0:14:39 2001
Delivered-To: freebsd-net@freebsd.org
Received: from proxy.fc.kiev.ua (indust.fc.kiev.ua [212.26.129.65])
	by hub.freebsd.org (Postfix) with ESMTP id 41B1D37B41A
	for <freebsd-net@freebsd.org>; Fri,  9 Nov 2001 00:14:31 -0800 (PST)
Received: (from root@localhost)
	by proxy.fc.kiev.ua (8.11.6/8.11.4) id fA98EPC68906
	for freebsd-net@freebsd.org.AVP; Fri, 9 Nov 2001 10:14:25 +0200 (EET)
	(envelope-from gnut@fc.kiev.ua)
Received: from blend.fc.kiev.ua (blend [192.168.5.17])
	by proxy.fc.kiev.ua (8.11.6/8.11.4) with ESMTP id fA98EOQ68898
	for <freebsd-net@freebsd.org>; Fri, 9 Nov 2001 10:14:25 +0200 (EET)
	(envelope-from gnut@fc.kiev.ua)
Received: from localhost (localhost.fc.kiev.ua [127.0.0.1])
	by blend.fc.kiev.ua (8.9.3/8.9.3) with ESMTP id KAA50333
	for <freebsd-net@freebsd.org>; Fri, 9 Nov 2001 10:14:25 +0200 (EET)
	(envelope-from gnut@fc.kiev.ua)
Date: Fri, 9 Nov 2001 10:15:16 +0300
From: "Oles' Hnatkevych" <gnut@fc.kiev.ua>
X-Mailer: The Bat! (v1.53bis)
Reply-To: "Oles' Hnatkevych" <gnut@fc.kiev.ua>
Organization: Finance & Credit Banking Corporation
X-Priority: 3 (Normal)
Message-ID: <1154549961.20011109101516@fc.kiev.ua>
Disposition-Notification-To: gnut@fc.kiev.ua
To: freebsd-net@freebsd.org
Subject: ipsec: tunneling with compression
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hello freebsd-net,

  Having read mans and papers and web still can not figure
  out HOW can I setup IPSEC tunneling WITH compression

  so far all I do is manual SA setup
  that looks like

add 192.168.1.128 192.168.1.129 esp 10010 -E 3des-cbc "101010101010101010101010";
add 192.168.1.129 192.168.1.128 esp 10011 -E 3des-cbc "010101010101010101010101";
add 192.168.1.128 192.168.1.129 ipcomp 10005 -C deflate;
add 192.168.1.129 192.168.1.128 ipcomp 10006 -C deflate;

and SP looks like (1.128-1.129 is a gif0 tunnel)

spdadd 192.168.5.22 192.168.100.17 any -P out ipsec
      ipcomp/transport//require
      esp/tunnel/192.168.1.128-192.168.1.129/require;
spdadd 192.168.100.17 192.168.5.22 any -P in ipsec
      ipcomp/transport//require
      esp/tunnel/192.168.1.129-192.168.1.128/require;

so the questions is:
1. Is it possible in FreeBSD to do tunneling with ESP and IPCOMP?
2. should I use ipcomp/transport//require or ipcomp/tunnel/..../require?
3. what __request__ order should be used - and does it matter at all?
4. if I use ESP, why may I want to use it with AH?
      
With best wishes, Oles' Hnatkevych, http://gnut.kiev.ua, gnut@fc.kiev.ua


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message