Date: Tue, 30 Jul 2002 10:04:30 +0100 From: "Tariq Rashid" <tariq@inty.net> To: <freebsd-net@freebsd.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ... Message-ID: <006a01c237a8$268fd8f0$9c01000a@tariq> References: <sd455602.090@aus-gwia.aus.dcnhs.org> <20020730074813.GF89241@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
i'm no expert but i think its like this:
* if your endpoints (say 10.0.0.1, 10.0.0.2) do not partake in the
network traffic
then not using gif is ok. that is traffic is only between protected
nets
(say 192.168.1.0, 192.168.2.0).
* however, if your endpoints also wnat to talk to each other (10.0.0.1
<-> 10.0.0.2)
in addition to the protected nets, then you have to "trick" the
packets to go through
gif interface so they obtain the correct "source address" -> this
way the IPSEC layer
will not ignore the packets and will encrypt them (because they have
the
correect source address). the ipsec layer won;t encrypt packets from
10.0.0.1 -> 192.168.2.1, say - but will encryot 192.168.1.1 ->
192.168.2.1
am i wrong? i've always been a little confused about the need for gif
tunnels for routing... very ugly solution but it works for me. having an
ipsec0 device or and enc0 device would be much nicer. you could also tcpdump
on the decrypted packets on these devices.
tariq
----- Original Message -----
From: "Crist J. Clark" <crist.clark@attbi.com>
> I've never figured out why people use gif(4) interfaces when ESP does
> the tunneling for you.
intY has scanned this email for all known viruses (www.inty.com)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006a01c237a8$268fd8f0$9c01000a>