From owner-freebsd-net@FreeBSD.ORG Wed Dec 28 19:07:25 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93AE616A41F for ; Wed, 28 Dec 2005 19:07:25 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC7B343D67 for ; Wed, 28 Dec 2005 19:07:24 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id B6C23C1; Wed, 28 Dec 2005 14:07:45 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 7C43B27EA; Wed, 28 Dec 2005 14:07:44 -0500 (EST) Received: from brian by mappit.local.linnet.org with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Ergdt-00021M-DY; Wed, 28 Dec 2005 19:07:21 +0000 Date: Wed, 28 Dec 2005 19:07:21 +0000 From: Brian Candler To: Eric Masson Message-ID: <20051228190721.GB7695@uk.tiscali.com> References: <20051228143817.GA6898@uk.tiscali.com> <86lky5p7ik.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051228155545.GA7166@uk.tiscali.com> <86d5jhp590.fsf@srvbsdnanssv.interne.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86d5jhp590.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Dec 2005 19:07:25 -0000 On Wed, Dec 28, 2005 at 05:15:39PM +0100, Eric Masson wrote: > Brian Candler writes: > > > OK, I'll buy gif + IPSEC transport mode as an option. [Although in that > > case, perhaps what you want is an external IPSEC tunnel mode implementation > > which attaches to a 'tun' device. That's yet another category which I hadn't > > even considered] > > Any url describing this setup please ? I don't know definitively. security/vpnc works fine for me as a client for talking to a Cisco VPN concentrator. I think that's IPSEC tunnel mode + PSK + XAUTH (which can also assign an IP address and insert routes into your forwarding table) There's net/pipsecd in ports. Its version is 19991014. I have no idea if it still works. I know of non-IPSEC solutions using tun (OpenVPN, TINC). I also know of userland IPSEC solutions which I don't think run under FreeBSD (FreeS/WAN, OpenS/WAN). All a bit of a nightmare really. Documentation would be good :-) > > I still think that gif + IPSEC tunnel mode (as currently documented) is not > > a good approach, especially if it's the *only* mode of operation to be > > documented and hence implicitly recommended as the 'right' way to do it. > > Well, ipsec section of the handbook is probably not the best one, I'd > like to see it extended with the sections you talked about in this > thread. Maybe it's time to submit patches... Sure. I first just wanted to check that there wasn't something I was missing. Regards, Brian.