From owner-freebsd-net Tue Jul 30 2: 5: 7 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A6C337B400; Tue, 30 Jul 2002 02:05:00 -0700 (PDT) Received: from laurel.inty.net (laurel.inty.net [195.224.93.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4343F43E42; Tue, 30 Jul 2002 02:04:55 -0700 (PDT) (envelope-from tariq@inty.net) Received: from inty.hq.inty.net (inty.hq.inty.net [213.38.150.150]) by laurel.inty.net (8.11.3/8.11.3) with ESMTP id g6U94j690033; Tue, 30 Jul 2002 10:04:45 +0100 (BST) Received: from tariq ([10.0.1.156]) by inty.hq.inty.net (8.12.1/8.12.1) with SMTP id g6U94iDs083851; Tue, 30 Jul 2002 10:04:44 +0100 (BST) Message-ID: <006a01c237a8$268fd8f0$9c01000a@tariq> From: "Tariq Rashid" To: Cc: References: <20020730074813.GF89241@blossom.cjclark.org> Subject: Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ... Date: Tue, 30 Jul 2002 10:04:30 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Sender-IP: 10.0.1.156 X-INT-DeliveryDone: g6U94iDs083851 X-suppress-rcpt-virus-notify: yes X-Skip-Virus-Check: yes X-Virus-Checked: 28235 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm no expert but i think its like this: * if your endpoints (say 10.0.0.1, 10.0.0.2) do not partake in the network traffic then not using gif is ok. that is traffic is only between protected nets (say 192.168.1.0, 192.168.2.0). * however, if your endpoints also wnat to talk to each other (10.0.0.1 <-> 10.0.0.2) in addition to the protected nets, then you have to "trick" the packets to go through gif interface so they obtain the correct "source address" -> this way the IPSEC layer will not ignore the packets and will encrypt them (because they have the correect source address). the ipsec layer won;t encrypt packets from 10.0.0.1 -> 192.168.2.1, say - but will encryot 192.168.1.1 -> 192.168.2.1 am i wrong? i've always been a little confused about the need for gif tunnels for routing... very ugly solution but it works for me. having an ipsec0 device or and enc0 device would be much nicer. you could also tcpdump on the decrypted packets on these devices. tariq ----- Original Message ----- From: "Crist J. Clark" > I've never figured out why people use gif(4) interfaces when ESP does > the tunneling for you. intY has scanned this email for all known viruses (www.inty.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message