Date: Thu, 15 May 2003 16:34:54 -0600 From: Stacy Millions <stacy@millions.ca> To: "'stable@freebsd.org'" <stable@freebsd.org> Subject: Re: FW: iHEADS UP: ipsec packet filtering change Message-ID: <3EC4160E.3000306@millions.ca> In-Reply-To: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com> References: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Subscriber wrote:
>>-----Original Message-----
>>From: Greg Panula [mailto:greg.panula@dolaninformation.com]
>>Sent: 12 May 2003 11:10
>>To: Matthew Braithwaite
>>Cc: stable@freebsd.org
>>Subject: Re: iHEADS UP: ipsec packet filtering change
>>
>>You don't really need the gif tunnels for ipsec. Gif is more geared
>>towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention
>>using gif tunnels and I've been tripped up by it, too.
>>
>>ipsec is much easier without the gif tunnels. The ipsec policy
>>definition is explained in the setkey man page. Basically for tunnels
>>it is: spdadd ${remote net} ${local net} any -P in ipsec
>>esp/tunnel/${remote gateway}-${local gateway}/unqiue; and
>>spdadd ${local
>>net} ${remote net} any -P out ipsec esp/tunnel/${local
>>gateway}-${remote
>>gateway}/unique;
>
>
> I have seen this said before. I've also seen it said that gif
> is just a way of getting the routing right. But every single
> practical example I have seen about how to set up a VPN link
> between two Lans using FreeBSD boxes uses gif.
>
> I'm using gif. If I take it out and just use plain setkey and
> racoon, what should I substitute to get the packets addressed
> to my office network sent through the tunnel?
>
I have set up IPSec VPN from FreeBSD to:
1) Win2k
2) Linux (FreeS/WAN)
3) Check point VPN-1 and
4) FreeBSD
Never, in any situation, did I use a GIF tunnel. You don't have to
do anything to get your packets routed through the VPN, if the packet
matches a policy entry in the SPD it is shipped out the VPN, otherwise
it is routed normal.
-stacy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EC4160E.3000306>