From owner-freebsd-net Tue Apr 9 3:16:34 2002 Delivered-To: freebsd-net@freebsd.org Received: from daydreamer.dk (213.237.14.128.adsl.ho.worldonline.dk [213.237.14.128]) by hub.freebsd.org (Postfix) with SMTP id F126C37B416 for ; Tue, 9 Apr 2002 03:16:29 -0700 (PDT) Received: (qmail 32177 invoked from network); 9 Apr 2002 10:16:25 -0000 Received: from unknown (HELO dpws) (192.168.1.3) by 0 with SMTP; 9 Apr 2002 10:16:25 -0000 Message-ID: <00a801c1dfaf$925aa750$0301a8c0@dpws> From: "Dennis Pedersen" To: Cc: "Lars Eggert" References: <5.1.0.14.0.20020408200151.01cac1f0@mail.drwilco.net> <007501c1df3f$326d92a0$0301a8c0@dpws> <3CB20A6D.3040704@isi.edu> Subject: Re: IPsec tunnel mode Date: Tue, 9 Apr 2002 12:16:10 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Lars Eggert" To: "Dennis Pedersen" Cc: Sent: Monday, April 08, 2002 11:23 PM Subject: Re: IPsec tunnel mode > Dennis Pedersen wrote: > > Because on the snap-users@kame.net Lars Eggert said something about using > > transport mode, not tunnel mode. This confused me a bit because isnt > > transport between 2 hosts only > > I said a possibility would be to use IPsec transport mode OVER AN IPIP > TUNNEL, which is not he same as using transport mode alone (which is > restricted to host pairs). On the wire, packets generated by either > approach look identical. My bad, i think i got the big picture now where you are going with the IPIP and transport mode.. > > I have also read the > > ftp://ftp.ietf.org/internet-drafts/draft-touch-ipsec-vpn-03.txt a couple of > > times, but i still cant seem to figure how the transport mode fits into > > this? > > Forget about security for a moment. Set up a virtual topology using IPIP > tunnels, and make sure it works. *Then* turn on transport-mode IKE over > the IPIP tunnels to secure it. But uhm is there a 'simple' way of doing this? (as in just adding the IP of the other ends gif interface as destinatio in my routes? The setup today i an exact copy of (other IP's of course) www.freebsddiary.org/ipsec-tunnel.php This works just fine besides til problem with my routes, arcording to the draft IPIP is the solution. My Question is now how do i set up with an IPIP tunnel? On http://rr.sans.org/firewall/IPSec_VPN.php there is an example, from my point of view it looks kind of complicated. Can it be made any simpler? If this is the way to do it, can i run mutible natd on both my external interface and the virtual gif interface (the howto creates the gif tunnel and diverts all trafic into this tunnel with natd on both ends) and how? (because i can't really se how the ipfw add divert natd can tell the difference between te 2 sessions of natd) Regards, Dennis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message