From owner-freebsd-security Fri Aug 2 11:33:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 489C337B401 for ; Fri, 2 Aug 2002 11:33:27 -0700 (PDT) Received: from carbon.berkeley.netdot.net (carbon.berkeley.netdot.net [216.27.190.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id A71D743E84 for ; Fri, 2 Aug 2002 11:33:26 -0700 (PDT) (envelope-from nick@netdot.net) Received: by carbon.berkeley.netdot.net (Postfix, from userid 101) id 4C410F84B; Fri, 2 Aug 2002 11:33:26 -0700 (PDT) Date: Fri, 2 Aug 2002 11:33:26 -0700 From: Nicholas Esborn To: Mailing List FreeBSD Security Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...] Message-ID: <20020802183326.GA52336@carbon.berkeley.netdot.net> References: <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com> <20020802172729.GA6880@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020802172729.GA6880@blossom.cjclark.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 02, 2002 at 10:27:29AM -0700, Crist J. Clark wrote: > On Fri, Aug 02, 2002 at 02:56:39PM +0200, Eric Masson wrote: > > With only one tunnel configured, netstat -rn on the security gateway > > doesn't show any routes to the remote networks nor host. > > > > With a second tunnel added, are there any additionnal configuration > > steps or will the kernel do the routing automagically ? > > It's pretty much automagically done by way of the SPD entry. Any > packet that matches the source and destination in the SPD gets put > through the appropriate tunnel with the specified end points. It's not > the same as the regular routing table and will not show up in 'netstat > -rn.' I ended up using AH and ESP in transport mode between gateways, then using gif tunnels to encapsulate traffic to other networks. I wanted to be able to use the routing table. I never liked tunnel mode IPsec's "magic portal" approach. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org -nick -- Nicholas Esborn Unix Systems Administrator Berkeley, California To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message