Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 02 Apr 2003 17:58:02 +0200
From:      Eric Masson <e-masson@kisoft-services.com>
To:        Lars Eggert <larse@ISI.EDU>
Cc:        Mailing List FreeBSD Network <freebsd-net@freebsd.org>
Subject:   Re: options FAST_IPSEC & tunnels
Message-ID:  <86fzp0riwl.fsf@notbsdems.interne.kisoft-services.com>
In-Reply-To: <3E8A1122.5040304@isi.edu> (Lars Eggert's message of "Tue, 01 Apr 2003 14:22:26 -0800")
References:  <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com> <05b901c2f881$67e907f0$52557f42@errno.com> <3E8A1122.5040304@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
>>>>> "Lars" == Lars Eggert <larse@ISI.EDU> writes:

 Lars> Alternatively (and already working), you can replace IPsec tunnel
 Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
 Lars> gif device in your firewall rules.

If transport mode can be used to connect to a pix, it's a solution to
consider, but atm, I've found no reference to such a setup on the pix.

I've tried gif tunnels with ipsec tunnel mode and didn't get
reproduceable results, this setup worked once with the following gif
setup :

#!/bin/sh

if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${0##*/}\$"); then
    echo "$0: Cannot determine the PREFIX" >&2
    exit 1
fi

case "$1" in
start)
	# Setup Chantilly
	local_extern=XXX.XXX.XXX.XXX
	remote_extern=XXX.XXX.XXX.XXX
	local_intern=192.168.1.0
	remote_intern=192.168.0.0
	local_mask=255.255.255.0
	remote_mask=255.255.255.0

	ifconfig gif0 create
	ifconfig gif0 tunnel $local_extern $remote_extern
	ifconfig gif0 inet $local_intern netmask $local_mask $remote_intern netmask $remote_mask

	echo -n ' tunnel'
	;;
stop)
	ifconfig gif0 destroy
	echo -n ' tunnel'
	;;
*)
	echo "Usage: `basename $0` {start|stop}" >&2
	exit 64
	;;
esac

exit 0

Next time, after a reboot (kernel switch) no packets were flowing thru
the gif tunnel.

I gave up and switched back to plain ipsec tunnel without gifs, hence
the original question.

Eric Masson

-- 
 PR> tu es en avance d'un an pour le nouveau millénaire
 il me semble que (2000) est bien le nouveau millenaire justement
 par contre on change de siecle l'annee prochaine en 2001
 -+- kiboot in http://www.le-gnu.net : Émile énerve pour l'an d'Émile.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86fzp0riwl.fsf>