Date: Fri, 02 Aug 2002 16:47:57 -0500 From: "Matthew Grooms" <mgrooms@seton.org> To: <freebsd-security@FreeBSD.ORG> Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org>
next in thread | raw e-mail | index | archive | help
Hey there,
>But why? Is there something this configuration buys >you that you don't
>get when all are "vanilla" ESP tunnels?
I understand this is not neccesary. The first time I set up ipsec
on freebsd I thought it was mandatory out of ignorance. After all there
are quite a few how-to's that refect this sort of configuration ...
http://www.x-itec.de/projects/tuts/ipsec-howto.txt
http://www.daemonnews.org/200101/ipsec-howto.html
This one makes an attempt at explaining why it is beneficial. Im not too
sure if it is an entirely compeling argument.
http://asherah.dyndns.org/~josh/ipsec-howto.txt
In any case, I was attempting to help out by answering a peers question
to the best of my ability. I was not endorsing one method or another.
Note that both were illustrated in the example I posted.
>> spdadd 10.22.200.0/24 10.1.2.0/24 any -P out ipsec
>> esp/tunnel/10.22.200.1-10.1.2.1/require;
>> spdadd 10.1.2.0/24 10.22.200.0/24 any -P in ipsec
>> esp/tunnel/10.1.2.1-10.22.200.1/require;
>You seem to be doing this backwards from the usual >way (or what I
>think of as the usual way)... and I really do not >understand why. You
>are taking traffic from,
>...
Its only backwards if you are used to implimenting IPSEC communications
in a non-giff'd confguration. As mentioned before, this is endorsed by
many how-to's available. If you don't like this method, don't use it. I
for one prefer the giffed alternative but will be more than happy to
admit that the benifits appear to be mostly cosmetic.
-Matthew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sd4ab7c6.030>