Re: IPSEC documentation

---

• From: "Matt Emmerton" <matt@xxxxxxxxxxxxx>
• Date: Wed, 28 Dec 2005 10:08:54 -0500

---

> The IPSEC documentation at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
> pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
> encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
>
> This is a really strange approach which is almost guaranteed not to
> interoperate with other IPSEC gateways. (It might be useful if you were
> using etherip encapsulation and attempting to bridge two remote networks,
> but that's not what it's doing either. In any case, if you're
encapsulating
> with a different protocol then you only need IPSEC transport mode, not
> tunnel mode)

While correct, note the scenario for which the configuration is describing:

14.10.3 The Scenario: Two networks, connected to the Internet, to behave as
one.

This is something I do all the time to connect retail outlets to the server
at the head office. This double-encapsulation ensures that nobody can sniff
my packets, which contain sensitive information such as credit card data
(which is already encrypted via HTTPS, but you can't be too safe!)

> ISTM that this chapter should be rewritten to use IPSEC tunnel mode
solely.
> Do people here generally agree? If so I'll try to find the time to modify
> it.

This perhaps would be a good _addition_ to the existing documentation --
it's likely a configuration that many would want to set up, especially to
inter-operate with corporate networks (using commercial IPSec solutions) --
or for those who don't need the double-encapsulation.

--
Matt Emmerton

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: IPSEC documentation
    • From: Clark Gaylord
  • Re: IPSEC documentation
    • From: Brian Candler

• References:
  • IPSEC documentation
    • From: Brian Candler

• Prev by Date: Re: IPSEC documentation
• Next by Date: Re: IPSEC documentation
• Previous by thread: Re: IPSEC documentation
• Next by thread: Re: IPSEC documentation
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IPSEC documentation ... It suggests that you encapsulate your packets in IP-IP (gif) ... > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. ... (freebsd-net) Re: IPSEC documentation ... > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. ... > ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. ... (freebsd-net) Re: IPX over IPSec VPNs or SSL VPNs ... IPSec can only encapsulate IP traffic, however, using GRE you should be able to handle IPX just as any other IP traffic ... (Security-Basics) Re: Interaction between ipfw, IPSEC and natd ... > which means that NAT is extremely hard to use in an IPSEC environment. ... do not need IPSEC packets to be routed through the firewall at all. ... 'untrusted IPSEC tunnel' (that is, a tunnel which you want to filter traffic ... (FreeBSD-Security) Re: Interaction between ipfw, IPSEC and natd ... >> which means that NAT is extremely hard to use in an IPSEC environment. ... > do not need IPSEC packets to be routed through the firewall at all. ... > and dest address and injects it into the outside interface of the firewall; ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > net  > 2005-12