From owner-freebsd-net Mon Apr 8 16:30:13 2002 Delivered-To: freebsd-net@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 9326637B417 for ; Mon, 8 Apr 2002 16:30:04 -0700 (PDT) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g38NTKx41809 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Mon, 8 Apr 2002 19:29:23 -0400 (EDT) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020409013356.02a51cf8@mail.drwilco.net> X-Sender: drwilco@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 09 Apr 2002 01:41:53 +0200 To: Lars Eggert From: "Rogier R. Mulhuijzen" Subject: Re: IPsec tunnel mode Cc: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG In-Reply-To: <3CB2098C.5080904@isi.edu> References: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 14:20 8-4-2002 -0700, Lars Eggert wrote: >There are no IPsec tunnel devices in KAME. IPsec defines "security >associations" (SAs), which are not represented as devices in the routing >table in KAME. Thus, you can't use routes to direct traffic into these >tunnel mode SAs, you need to set up your security policies with the >correct selectors (think firewall-like matching). > >*Many* tutorials on the net do not understand this disctinction, and >tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel >mode SA in parallel. This is a bad hack, since you (ab)use a side effect >of creating an IPIP tunnel device (it can be used for route entries) to >redirect traffic into your (separate) tunnel mode SA. Very roughly, you >set up the IPIP tunnel, then yank out the packets destined for it during >outbound processing and force them over an IPsec tunnel mode SA. > >Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport >mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios where >the dependencies between side effects are just right, but in general, it's >a broken approach. Well see, nowhere does it say how to actually do IPsec tunnel mode VPN from between 2 internet hosts. I just got the VPN connection to the Watchguard Firebox working using IPIP & IPsec tunnel mode. There's a few quirks with ipfw and something odd with setting things up while a ping to a remote private host is going, but it's working fine otherwise. I'd like to hear how to do it the proper way though. Feel like clueing me in? Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message