Date: Thu, 15 May 2003 22:47:13 +0100 From: Subscriber <subscriber@insignia.com> To: "'stable@freebsd.org'" <stable@freebsd.org> Subject: FW: iHEADS UP: ipsec packet filtering change Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: Greg Panula [mailto:greg.panula@dolaninformation.com]
> Sent: 12 May 2003 11:10
> To: Matthew Braithwaite
> Cc: stable@freebsd.org
> Subject: Re: iHEADS UP: ipsec packet filtering change
>
> You don't really need the gif tunnels for ipsec. Gif is more geared
> towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention
> using gif tunnels and I've been tripped up by it, too.
>
> ipsec is much easier without the gif tunnels. The ipsec policy
> definition is explained in the setkey man page. Basically for tunnels
> it is: spdadd ${remote net} ${local net} any -P in ipsec
> esp/tunnel/${remote gateway}-${local gateway}/unqiue; and
> spdadd ${local
> net} ${remote net} any -P out ipsec esp/tunnel/${local
> gateway}-${remote
> gateway}/unique;
I have seen this said before. I've also seen it said that gif
is just a way of getting the routing right. But every single
practical example I have seen about how to set up a VPN link
between two Lans using FreeBSD boxes uses gif.
I'm using gif. If I take it out and just use plain setkey and
racoon, what should I substitute to get the packets addressed
to my office network sent through the tunnel?
Jim Hatfield
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F03DF3DDE57D411AFF4009027B8C36704129AE7>