From owner-freebsd-security Fri Aug 2 15:59: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF7B937B400 for ; Fri, 2 Aug 2002 15:59:05 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9577843E70 for ; Fri, 2 Aug 2002 15:59:04 -0700 (PDT) (envelope-from campbell@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with ESMTP id g72MxYi03195; Fri, 2 Aug 2002 16:59:34 -0600 (MDT) (envelope-from campbell@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: "Matthew Grooms" , Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Date: Fri, 2 Aug 2002 16:59:34 -0600 Message-Id: <20020802225934.M20274@babayaga.neotext.ca> In-Reply-To: References: X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (campbell) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I made the same mistake. Well, hard to call it a mistake, since it worked, but it did make things more complicated. Duncan Patton a Campbell is Duibh ;-) ---------- Original Message ----------- From: "Matthew Grooms" To: Sent: Fri, 02 Aug 2002 16:47:57 -0500 Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] > Hey there, > > >But why? Is there something this configuration buys >you that you don't > >get when all are "vanilla" ESP tunnels? > > I understand this is not neccesary. The first > time I set up ipsec on freebsd I thought it was > mandatory out of ignorance. After all there are quite > a few how-to's that refect this sort of configuration ... > > http://www.x-itec.de/projects/tuts/ipsec-howto.txt > http://www.daemonnews.org/200101/ipsec-howto.html > > This one makes an attempt at explaining why it is > beneficial. Im not too sure if it is an entirely > compeling argument. > > http://asherah.dyndns.org/~josh/ipsec-howto.txt > > In any case, I was attempting to help out by answering > a peers question to the best of my ability. I was not > endorsing one method or another. Note that both were > illustrated in the example I posted. > > >> spdadd 10.22.200.0/24 10.1.2.0/24 any -P out ipsec > >> esp/tunnel/10.22.200.1-10.1.2.1/require; > >> spdadd 10.1.2.0/24 10.22.200.0/24 any -P in ipsec > >> esp/tunnel/10.1.2.1-10.22.200.1/require; > > >You seem to be doing this backwards from the usual >way (or what I > >think of as the usual way)... and I really do not >understand why. You > >are taking traffic from, > >... > > Its only backwards if you are used to implimenting > IPSEC communications in a non-giff'd confguration. As > mentioned before, this is endorsed by many how-to's > available. If you don't like this method, don't use > it. I for one prefer the giffed alternative but will > be more than happy to admit that the benifits appear > to be mostly cosmetic. > > -Matthew > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the > message ------- End of Original Message ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message