From owner-freebsd-net  Fri Sep 21 17:23:31 2001
Delivered-To: freebsd-net@freebsd.org
Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18])
	by hub.freebsd.org (Postfix) with ESMTP id 531F037B414
	for <net@FreeBSD.ORG>; Fri, 21 Sep 2001 17:23:27 -0700 (PDT)
Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [fec0::1:12])
	by Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8M0NPt33372;
	Sat, 22 Sep 2001 01:23:25 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.11.6/8.11.6) with ESMTP id f8M0NIR46299;
	Sat, 22 Sep 2001 01:23:18 +0100 (BST)
	(envelope-from brian@freebsd-services.com)
Message-Id: <200109220023.f8M0NIR46299@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Julian Elischer <julian@elischer.org>
Cc: Brian Somers <brian@freebsd-services.com>, net@FreeBSD.ORG,
	brian@freebsd-services.com
Subject: Re: IPSEC question.. 
In-Reply-To: Message from Julian Elischer <julian@elischer.org> 
   of "Fri, 21 Sep 2001 13:58:17 PDT." <Pine.BSF.4.21.0109211334120.37053-100000@InterJet.elischer.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 22 Sep 2001 01:23:18 +0100
From: Brian Somers <brian@freebsd-services.com>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> > Once you've got the gif tunnel working, say with top addresses 
> > 10.0.0.1 and 10.0.0.2 and tunnel addresses 1.2.3.4 and 5.6.7.8, 
> > create an /etc/ipsec.conf that says:
> 
> 
> which are the 'top' addresses? outer or inner?
> i.e. 
> 
>    (A)gif0:-------(B)ed0-----<net>--------ed0(C)--------gif0(D)

By ``top'' I mean the gif addresses.  By tunnel addresses I mean the 
endpoint addresses.  For my examples:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 1.2.3.4 --> 5.6.7.8
        inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff 

> >   spdadd 1.2.3.4/32 5.6.7.8/32 ip4 -P in ipsec esp/transport//require;
> >   spdadd 5.6.7.8/32 1.2.3.4/32 ip4 -P out ipsec esp/transport//require;
> > 
> 
> ip4?
>  I need to run this on 4.1.1 machines.

You're really better off applying the one-line fix to token.l to 
support the ip4 syntax.  It removes many problems - especially if you 
intend to run NAT on your machines.

You should have the kernel support in 4.1.1.
-- 
Brian <brian@freebsd-services.com>                <brian@Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message