From owner-freebsd-security Fri Aug 2 14:48:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F4F837B400 for ; Fri, 2 Aug 2002 14:48:07 -0700 (PDT) Received: from mail.seton.org (ftp.seton.org [207.193.126.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BA5043E42 for ; Fri, 2 Aug 2002 14:48:07 -0700 (PDT) (envelope-from mgrooms@seton.org) Received: from aus-gwia.aus.dcnhs.org (aus-gwia.aus.dcnhs.org [10.20.10.211]) by mail.seton.org (Postfix) with ESMTP id 99107D003D for ; Fri, 2 Aug 2002 16:48:06 -0500 (CDT) Received: from AUS_SETON-MTA by aus-gwia.aus.dcnhs.org with Novell_GroupWise; Fri, 02 Aug 2002 16:48:06 -0500 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.0.1 Date: Fri, 02 Aug 2002 16:47:57 -0500 From: "Matthew Grooms" To: Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey there, >But why? Is there something this configuration buys >you that you don't >get when all are "vanilla" ESP tunnels? I understand this is not neccesary. The first time I set up ipsec on freebsd I thought it was mandatory out of ignorance. After all there are quite a few how-to's that refect this sort of configuration ... http://www.x-itec.de/projects/tuts/ipsec-howto.txt http://www.daemonnews.org/200101/ipsec-howto.html This one makes an attempt at explaining why it is beneficial. Im not too sure if it is an entirely compeling argument. http://asherah.dyndns.org/~josh/ipsec-howto.txt In any case, I was attempting to help out by answering a peers question to the best of my ability. I was not endorsing one method or another. Note that both were illustrated in the example I posted. >> spdadd 10.22.200.0/24 10.1.2.0/24 any -P out ipsec >> esp/tunnel/10.22.200.1-10.1.2.1/require; >> spdadd 10.1.2.0/24 10.22.200.0/24 any -P in ipsec >> esp/tunnel/10.1.2.1-10.22.200.1/require; >You seem to be doing this backwards from the usual >way (or what I >think of as the usual way)... and I really do not >understand why. You >are taking traffic from, >... Its only backwards if you are used to implimenting IPSEC communications in a non-giff'd confguration. As mentioned before, this is endorsed by many how-to's available. If you don't like this method, don't use it. I for one prefer the giffed alternative but will be more than happy to admit that the benifits appear to be mostly cosmetic. -Matthew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message