From owner-freebsd-net@FreeBSD.ORG  Wed Apr  2 07:58:34 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8A1AD37B404
	for <freebsd-net@freebsd.org>; Wed,  2 Apr 2003 07:58:34 -0800 (PST)
Received: from musique.teaser.net (musique.teaser.net [213.91.2.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C179943F3F
	for <freebsd-net@freebsd.org>; Wed,  2 Apr 2003 07:58:32 -0800 (PST)
	(envelope-from e-masson@kisoft-services.com)
Received: from notbsdems.interne.kisoft-services.com
	(nantes.kisoft-services.com [193.56.60.243])
	by musique.teaser.net (Postfix) with ESMTP
	id 0678372532; Wed,  2 Apr 2003 17:58:30 +0200 (CEST)
Received: by notbsdems.interne.kisoft-services.com (Postfix, from userid 1001)
	id 815ED5A7A5; Wed,  2 Apr 2003 17:58:02 +0200 (CEST)
To: Lars Eggert <larse@ISI.EDU>
From: Eric Masson <e-masson@kisoft-services.com>
In-Reply-To: <3E8A1122.5040304@isi.edu> (Lars Eggert's message of "Tue, 01
 Apr 2003 14:22:26 -0800")
References: <86pto6mbxj.fsf@notbsdems.interne.kisoft-services.com>
	<05b901c2f881$67e907f0$52557f42@errno.com> <3E8A1122.5040304@isi.edu>
X-Operating-System: FreeBSD 4.8-RC i386
Date: Wed, 02 Apr 2003 17:58:02 +0200
Message-ID: <86fzp0riwl.fsf@notbsdems.interne.kisoft-services.com>
User-Agent: Gnus/5.090017 (Oort Gnus v0.17) XEmacs/21.4 (Common Lisp,
 berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
cc: Sam Leffler <sam@errno.com>
cc: Mailing List FreeBSD Network <freebsd-net@freebsd.org>
Subject: Re: options FAST_IPSEC & tunnels
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2003 15:58:34 -0000

>>>>> "Lars" == Lars Eggert <larse@ISI.EDU> writes:

 Lars> Alternatively (and already working), you can replace IPsec tunnel
 Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
 Lars> gif device in your firewall rules.

If transport mode can be used to connect to a pix, it's a solution to
consider, but atm, I've found no reference to such a setup on the pix.

I've tried gif tunnels with ipsec tunnel mode and didn't get
reproduceable results, this setup worked once with the following gif
setup :

#!/bin/sh

if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${0##*/}\$"); then
    echo "$0: Cannot determine the PREFIX" >&2
    exit 1
fi

case "$1" in
start)
	# Setup Chantilly
	local_extern=XXX.XXX.XXX.XXX
	remote_extern=XXX.XXX.XXX.XXX
	local_intern=192.168.1.0
	remote_intern=192.168.0.0
	local_mask=255.255.255.0
	remote_mask=255.255.255.0

	ifconfig gif0 create
	ifconfig gif0 tunnel $local_extern $remote_extern
	ifconfig gif0 inet $local_intern netmask $local_mask $remote_intern netmask $remote_mask

	echo -n ' tunnel'
	;;
stop)
	ifconfig gif0 destroy
	echo -n ' tunnel'
	;;
*)
	echo "Usage: `basename $0` {start|stop}" >&2
	exit 64
	;;
esac

exit 0

Next time, after a reboot (kernel switch) no packets were flowing thru
the gif tunnel.

I gave up and switched back to plain ipsec tunnel without gifs, hence
the original question.

Eric Masson

-- 
 PR> tu es en avance d'un an pour le nouveau millénaire
 il me semble que (2000) est bien le nouveau millenaire justement
 par contre on change de siecle l'annee prochaine en 2001
 -+- kiboot in http://www.le-gnu.net : Émile énerve pour l'an d'Émile.