Date: Fri, 2 Aug 2002 16:59:34 -0600 From: "Duncan Patton a Campbell is Dhu" <campbell@neotext.ca> To: "Matthew Grooms" <mgrooms@seton.org>, <freebsd-security@FreeBSD.ORG> Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <20020802225934.M20274@babayaga.neotext.ca> In-Reply-To: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org> References: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I made the same mistake. Well, hard to call it a mistake, since it worked, but it did make things more complicated. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Matthew Grooms" <mgrooms@seton.org> To: <freebsd-security@FreeBSD.ORG> Sent: Fri, 02 Aug 2002 16:47:57 -0500 Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] > Hey there, > > >But why? Is there something this configuration buys >you that you don't > >get when all are "vanilla" ESP tunnels? > > I understand this is not neccesary. The first > time I set up ipsec on freebsd I thought it was > mandatory out of ignorance. After all there are quite > a few how-to's that refect this sort of configuration ... > > http://www.x-itec.de/projects/tuts/ipsec-howto.txt > http://www.daemonnews.org/200101/ipsec-howto.html > > This one makes an attempt at explaining why it is > beneficial. Im not too sure if it is an entirely > compeling argument. > > http://asherah.dyndns.org/~josh/ipsec-howto.txt > > In any case, I was attempting to help out by answering > a peers question to the best of my ability. I was not > endorsing one method or another. Note that both were > illustrated in the example I posted. > > >> spdadd 10.22.200.0/24 10.1.2.0/24 any -P out ipsec > >> esp/tunnel/10.22.200.1-10.1.2.1/require; > >> spdadd 10.1.2.0/24 10.22.200.0/24 any -P in ipsec > >> esp/tunnel/10.1.2.1-10.22.200.1/require; > > >You seem to be doing this backwards from the usual >way (or what I > >think of as the usual way)... and I really do not >understand why. You > >are taking traffic from, > >... > > Its only backwards if you are used to implimenting > IPSEC communications in a non-giff'd confguration. As > mentioned before, this is endorsed by many how-to's > available. If you don't like this method, don't use > it. I for one prefer the giffed alternative but will > be more than happy to admit that the benifits appear > to be mostly cosmetic. > > -Matthew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020802225934.M20274>