Date: Fri, 2 Aug 2002 11:33:26 -0700 From: Nicholas Esborn <nick@netdot.net> To: Mailing List FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...] Message-ID: <20020802183326.GA52336@carbon.berkeley.netdot.net> In-Reply-To: <20020802172729.GA6880@blossom.cjclark.org> References: <sd455602.090@aus-gwia.aus.dcnhs.org> <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> <20020802172729.GA6880@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 02, 2002 at 10:27:29AM -0700, Crist J. Clark wrote: > On Fri, Aug 02, 2002 at 02:56:39PM +0200, Eric Masson wrote: <snip> > > With only one tunnel configured, netstat -rn on the security gateway > > doesn't show any routes to the remote networks nor host. > > > > With a second tunnel added, are there any additionnal configuration > > steps or will the kernel do the routing automagically ? > > It's pretty much automagically done by way of the SPD entry. Any > packet that matches the source and destination in the SPD gets put > through the appropriate tunnel with the specified end points. It's not > the same as the regular routing table and will not show up in 'netstat > -rn.' I ended up using AH and ESP in transport mode between gateways, then using gif tunnels to encapsulate traffic to other networks. I wanted to be able to use the routing table. I never liked tunnel mode IPsec's "magic portal" approach. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org -nick -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020802183326.GA52336>