From owner-freebsd-stable@FreeBSD.ORG Thu May 15 15:35:02 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3449437B401 for ; Thu, 15 May 2003 15:35:02 -0700 (PDT) Received: from Millions.Ca (h68-145-236-254.sbm.shawcable.net [68.145.236.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5C4643F3F for ; Thu, 15 May 2003 15:34:58 -0700 (PDT) (envelope-from stacy@Millions.Ca) Received: (from uucp@localhost) by Millions.Ca (8.11.1/8.9.3) id h4FMYvE00628 for ; Thu, 15 May 2003 16:34:57 -0600 (MDT) (envelope-from stacy@Millions.Ca) Received: from Cedar.Millions.Ca(192.168.64.8) via SMTP by mail-gw-0.millions.ca, id smtpdwMJ626; Thu May 15 16:34:55 2003 Received: from millions.ca (Bonsai.Millions.Ca [192.168.64.4]) by cedar.millions.ca (8.12.6/8.12.6) with ESMTP id h4FMYsR3052401 for ; Thu, 15 May 2003 16:34:55 -0600 (MDT) (envelope-from stacy@millions.ca) Message-ID: <3EC4160E.3000306@millions.ca> Date: Thu, 15 May 2003 16:34:54 -0600 From: Stacy Millions Organization: Millions Consulting Limited User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030404 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "'stable@freebsd.org'" References: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com> In-Reply-To: <2F03DF3DDE57D411AFF4009027B8C36704129AE7@exchange-uk.isltd.insignia.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FW: iHEADS UP: ipsec packet filtering change X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 22:35:02 -0000 Subscriber wrote: >>-----Original Message----- >>From: Greg Panula [mailto:greg.panula@dolaninformation.com] >>Sent: 12 May 2003 11:10 >>To: Matthew Braithwaite >>Cc: stable@freebsd.org >>Subject: Re: iHEADS UP: ipsec packet filtering change >> >>You don't really need the gif tunnels for ipsec. Gif is more geared >>towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention >>using gif tunnels and I've been tripped up by it, too. >> >>ipsec is much easier without the gif tunnels. The ipsec policy >>definition is explained in the setkey man page. Basically for tunnels >>it is: spdadd ${remote net} ${local net} any -P in ipsec >>esp/tunnel/${remote gateway}-${local gateway}/unqiue; and >>spdadd ${local >>net} ${remote net} any -P out ipsec esp/tunnel/${local >>gateway}-${remote >>gateway}/unique; > > > I have seen this said before. I've also seen it said that gif > is just a way of getting the routing right. But every single > practical example I have seen about how to set up a VPN link > between two Lans using FreeBSD boxes uses gif. > > I'm using gif. If I take it out and just use plain setkey and > racoon, what should I substitute to get the packets addressed > to my office network sent through the tunnel? > I have set up IPSec VPN from FreeBSD to: 1) Win2k 2) Linux (FreeS/WAN) 3) Check point VPN-1 and 4) FreeBSD Never, in any situation, did I use a GIF tunnel. You don't have to do anything to get your packets routed through the VPN, if the packet matches a policy entry in the SPD it is shipped out the VPN, otherwise it is routed normal. -stacy