Date: Tue, 09 Apr 2002 01:41:53 +0200 From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net> To: Lars Eggert <larse@ISI.EDU> Cc: mgt@hytekblue.com, freebsd-net@FreeBSD.ORG Subject: Re: IPsec tunnel mode Message-ID: <5.1.0.14.0.20020409013356.02a51cf8@mail.drwilco.net> In-Reply-To: <3CB2098C.5080904@isi.edu> References: <5.1.0.14.0.20020408202757.01cac470@mail.drwilco.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 14:20 8-4-2002 -0700, Lars Eggert wrote:
>There are no IPsec tunnel devices in KAME. IPsec defines "security
>associations" (SAs), which are not represented as devices in the routing
>table in KAME. Thus, you can't use routes to direct traffic into these
>tunnel mode SAs, you need to set up your security policies with the
>correct selectors (think firewall-like matching).
>
>*Many* tutorials on the net do not understand this disctinction, and
>tell you to set up an IPIP tunnel (using a gif) and an IPsec tunnel
>mode SA in parallel. This is a bad hack, since you (ab)use a side effect
>of creating an IPIP tunnel device (it can be used for route entries) to
>redirect traffic into your (separate) tunnel mode SA. Very roughly, you
>set up the IPIP tunnel, then yank out the packets destined for it during
>outbound processing and force them over an IPsec tunnel mode SA.
>
>Use EITHER IPsec tunnel mode alone OR IPIP tunnels and IP transport
>mode (draft-touch-ipsec-vpn). Mixing both can work in some scenarios where
>the dependencies between side effects are just right, but in general, it's
>a broken approach.
Well see, nowhere does it say how to actually do IPsec tunnel mode VPN from
between 2 internet hosts.
I just got the VPN connection to the Watchguard Firebox working using IPIP
& IPsec tunnel mode.
There's a few quirks with ipfw and something odd with setting things up
while a ping to a remote private host is going, but it's working fine
otherwise.
I'd like to hear how to do it the proper way though. Feel like clueing me in?
Doc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020409013356.02a51cf8>