From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 04:59:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B357116A4B3 for ; Wed, 22 Oct 2003 04:59:21 -0700 (PDT) Received: from k2.vol.cz (k2.vol.cz [195.250.128.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E75543FBF for ; Wed, 22 Oct 2003 04:59:20 -0700 (PDT) (envelope-from malyl@col.cz) Received: from k2.vol.cz (k2.vol.cz [195.250.128.82]) by k2.vol.cz (8.12.8p2/8.12.6) with ESMTP id h9MBxIfW086370; Wed, 22 Oct 2003 13:59:18 +0200 (CEST) (envelope-from malyl@col.cz) Date: Wed, 22 Oct 2003 13:59:16 +0200 (CEST) From: Lukas Maly X-X-Sender: malyl@k2.vol.cz To: Jim Hatfield In-Reply-To: Message-ID: <20031022135339.C76516@k2.vol.cz> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 11:59:21 -0000 On Wed, 22 Oct 2003, Jim Hatfield wrote: > Date: Wed, 22 Oct 2003 12:28:45 +0100 > From: Jim Hatfield > To: freebsd-security@freebsd.org > Subject: IPSec VPNs: to gif or not to gif > > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a > detailed description of how to do this. > > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. I use VPN with gif device. ifconfig gif0 create tunnel AA1.BB1.CC1.DD1 AA2.BB2.CC2.DD2 ifconfig gif0 inet 192.168.0.1 192.168.1.1 netmask 255.255.255.0 Create and set tunnel. Add the policy with setkey ... Start racoon server on port 500 proto UDP /usr/local/sbin/racoon -4 -l /var/log/racoon.log malyl > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? > > jim hatfield > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >