From owner-freebsd-stable@FreeBSD.ORG Thu May 15 14:47:17 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F8F837B401 for ; Thu, 15 May 2003 14:47:17 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F97243F3F for ; Thu, 15 May 2003 14:47:16 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from exchange-uk.isltd.insignia.com (exchange-uk.isltd.insignia.com [172.16.64.9])h4FLlEZi010012 for ; Thu, 15 May 2003 22:47:14 +0100 (BST) (envelope-from subscriber@insignia.com) Received: by exchange-uk.isltd.insignia.com with Internet Mail Service (5.5.2653.19) id ; Thu, 15 May 2003 22:47:14 +0100 Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com> From: Subscriber To: "'stable@freebsd.org'" Date: Thu, 15 May 2003 22:47:13 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Scanned-By: MIMEDefang 2.32 (www . roaringpenguin . com / mimedefang) Subject: FW: iHEADS UP: ipsec packet filtering change X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 21:47:18 -0000 > -----Original Message----- > From: Greg Panula [mailto:greg.panula@dolaninformation.com] > Sent: 12 May 2003 11:10 > To: Matthew Braithwaite > Cc: stable@freebsd.org > Subject: Re: iHEADS UP: ipsec packet filtering change > > You don't really need the gif tunnels for ipsec. Gif is more geared > towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention > using gif tunnels and I've been tripped up by it, too. > > ipsec is much easier without the gif tunnels. The ipsec policy > definition is explained in the setkey man page. Basically for tunnels > it is: spdadd ${remote net} ${local net} any -P in ipsec > esp/tunnel/${remote gateway}-${local gateway}/unqiue; and > spdadd ${local > net} ${remote net} any -P out ipsec esp/tunnel/${local > gateway}-${remote > gateway}/unique; I have seen this said before. I've also seen it said that gif is just a way of getting the routing right. But every single practical example I have seen about how to set up a VPN link between two Lans using FreeBSD boxes uses gif. I'm using gif. If I take it out and just use plain setkey and racoon, what should I substitute to get the packets addressed to my office network sent through the tunnel? Jim Hatfield