Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 02 Aug 2002 16:47:57 -0500
From:      "Matthew Grooms" <mgrooms@seton.org>
To:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...]
Message-ID:  <sd4ab7c6.030@aus-gwia.aus.dcnhs.org>

next in thread | raw e-mail | index | archive | help
Hey there,

>But why? Is there something this configuration buys >you that you don't
>get when all are "vanilla" ESP tunnels?

     I understand this is not neccesary. The first time I set up ipsec
on freebsd I thought it was mandatory out of ignorance. After all there
are quite a few how-to's that refect this sort of configuration ...

http://www.x-itec.de/projects/tuts/ipsec-howto.txt
http://www.daemonnews.org/200101/ipsec-howto.html

This one makes an attempt at explaining why it is beneficial. Im not too
sure if it is an entirely compeling argument.

http://asherah.dyndns.org/~josh/ipsec-howto.txt

In any case, I was attempting to help out by answering a peers question
to the best of my ability. I was not endorsing one method or another.
Note that both were illustrated in the example I posted.

>> spdadd 10.22.200.0/24 10.1.2.0/24 any -P out ipsec
>> esp/tunnel/10.22.200.1-10.1.2.1/require;
>> spdadd 10.1.2.0/24 10.22.200.0/24 any -P in  ipsec
>> esp/tunnel/10.1.2.1-10.22.200.1/require;

>You seem to be doing this backwards from the usual >way (or what I
>think of as the usual way)... and I really do not >understand why. You
>are taking traffic from,
>...

Its only backwards if you are used to implimenting IPSEC communications
in a non-giff'd confguration. As mentioned before, this is endorsed by
many how-to's available. If you don't like this method, don't use it. I
for one prefer the giffed alternative but will be more than happy to
admit that the benifits appear to be mostly cosmetic.

-Matthew

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sd4ab7c6.030>