From owner-freebsd-net@FreeBSD.ORG Fri Jun 16 15:43:12 2006 Return-Path: <owner-freebsd-net@FreeBSD.ORG> X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DDBE16A47A for <freebsd-net@freebsd.org>; Fri, 16 Jun 2006 15:43:12 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C28E43D49 for <freebsd-net@freebsd.org>; Fri, 16 Jun 2006 15:43:12 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.61] (helo=dfw-mmp1.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FrGTU-0006vg-8z for freebsd-net@freebsd.org; Fri, 16 Jun 2006 15:43:08 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp1.email.verio.net with esmtp id 1FrGTU-00054I-5c for freebsd-net@freebsd.org; Fri, 16 Jun 2006 15:43:08 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 9DAD68E2CC; Fri, 16 Jun 2006 10:43:07 -0500 (CDT) Date: Fri, 16 Jun 2006 10:43:07 -0500 From: David DeSimone <fox@verio.net> To: freebsd-net@freebsd.org Message-ID: <20060616154306.GA18578@verio.net> Mail-Followup-To: freebsd-net@freebsd.org References: <449228FA.50303@thebeastie.org> <20060616122855.GA29279@uk.tiscali.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20060616122855.GA29279@uk.tiscali.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: VPN with FAST_IPSEC and ipsec tools X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net> List-Post: <mailto:freebsd-net@freebsd.org> List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>, <mailto:freebsd-net-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 16 Jun 2006 15:43:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Candler <B.Candler@pobox.com> wrote: > > Ah, I guess this means you're following the instructions in the > FreeBSD handbook, which last time I looked gave a most bizarre and > unnecessary way of setting up IPSEC (GIF tunneling running on top of > IPSEC *tunnel* mode). I raised it on this list before. I ran into the same thing when analyzing the handbook's examples, and quickly abandoned the handbook when writing my own configs. > Most people are better off just setting up IPSEC tunnel mode. A few > use GIF running on top of IPSEC _transport_ mode (e.g. those running > routing protocols like OSPF over tunnels) The main reason to use IPSEC tunnel mode and avoid GIF is that such a config is interoperable with other IPSEC implementations (Cisco, Checkpoint, etc), and thus is much more useful in the real world. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEktGKFSrKRjX5eCoRAq7JAJwIljDoGlZu+PDcFRT8842UpvXPkwCfZP8l IXMhmlNoy/++m/CxIoIhfHI= =ftpL -----END PGP SIGNATURE-----