From owner-freebsd-security  Fri Aug  2 10:51:24 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 600F337B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  2 Aug 2002 10:51:21 -0700 (PDT)
Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 381D343E70
	for <freebsd-security@FreeBSD.ORG>; Fri,  2 Aug 2002 10:51:20 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18])
	by obsidian.sentex.ca (8.12.5/8.12.5) with ESMTP id g72HpHSE088393;
	Fri, 2 Aug 2002 13:51:17 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <5.1.1.6.0.20020802134758.040a3e08@marble.sentex.ca>
X-Sender: mdtpop@marble.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Version 5.1.1
Date: Fri, 02 Aug 2002 13:54:32 -0400
To: cjclark@alum.mit.edu
From: Mike Tancsa <mike@sentex.net>
Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to
  ipsec/racoontroubles, help please ...]
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20020802174321.GB6880@blossom.cjclark.org>
References: <sd4a58ca.054@aus-gwia.aus.dcnhs.org>
 <sd4a58ca.054@aus-gwia.aus.dcnhs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (obsidian/20020220)
X-Spam-Status: No, hits=-3.4 required=7.0
	tests=IN_REP_TO
	version=2.31
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 10:43 AM 02/08/2002 -0700, Crist J. Clark wrote:

>But why? Is there something this configuration buys you that you don't
>get when all are "vanilla" ESP tunnels?

I guess for me, when it gets routed through an interface the "feel" is more 
consistent. I do a netstat -nr, and I can see where the route points to.  I 
can then also do further firewall rules on traffic via the gif interface. I 
dont like the fact that my tunnels somehow dont show up in a netstat 
-nr.  I know that sounds trivial, but I think its somewhat important in 
security matters-- i.e. the admin has a good feeling at a gut level how it 
all works rather than, "oh yeah, normally it works that way, but not in 
this case."  The less one has to stop and consider "oh yeahs" / exceptions 
the better IMHO.

         ---Mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message