Re: VPN with FAST_IPSEC and ipsec tools

From: David DeSimone <fox@xxxxxxxxx>
Date: Fri, 16 Jun 2006 10:43:07 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Candler <B.Candler@xxxxxxxxx> wrote:

Ah, I guess this means you're following the instructions in the
FreeBSD handbook, which last time I looked gave a most bizarre and
unnecessary way of setting up IPSEC (GIF tunneling running on top of
IPSEC *tunnel* mode). I raised it on this list before.

I ran into the same thing when analyzing the handbook's examples, and
quickly abandoned the handbook when writing my own configs.

Most people are better off just setting up IPSEC tunnel mode. A few
use GIF running on top of IPSEC _transport_ mode (e.g. those running
routing protocols like OSPF over tunnels)

The main reason to use IPSEC tunnel mode and avoid GIF is that such a
config is interoperable with other IPSEC implementations (Cisco,
Checkpoint, etc), and thus is much more useful in the real world.

- --
David DeSimone == Network Admin == fox@xxxxxxxxx
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEktGKFSrKRjX5eCoRAq7JAJwIljDoGlZu+PDcFRT8842UpvXPkwCfZP8l
IXMhmlNoy/++m/CxIoIhfHI=
=ftpL
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: VPN with FAST_IPSEC and ipsec tools
  - From: Michael Vince
- Re: VPN with FAST_IPSEC and ipsec tools
  - From: Doug Barton

References:
- VPN with FAST_IPSEC and ipsec tools
  - From: Michael Vince
- Re: VPN with FAST_IPSEC and ipsec tools
  - From: Brian Candler

Prev by Date: Re: enc0 patch for ipsec
Next by Date: Re: enc0 patch for ipsec
Previous by thread: Re: VPN with FAST_IPSEC and ipsec tools
Next by thread: Re: VPN with FAST_IPSEC and ipsec tools
Index(es):
- Date
- Thread

Relevant Pages

Re: IPSec tcp session stalling ( me too ) ...
... As soon as a gif interface is involved, ... checked with udp) session running inside the gif tunnel breaks. ... When either not using IPSec, not enabling pf or not using gif - ...
(freebsd-net)
Re: FW: iHEADS UP: ipsec packet filtering change
... >> You don't really need the gif tunnels for ipsec. ... gifconfig stuff from an IPsec tunnel I administer and lo and behold it ... if I could resolve another problem where ipfw treated packets coming ...
(freebsd-stable)
Re: ICMP Error transmission/response over IPSec tunnels
... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
(freebsd-net)
Re: ICMP Error transmission/response over IPSec tunnels
... The IPSec configuration is a gif ipip tunnel that is then encrypted with IPSec using esp in tunnel mode as per the ipsec vpn section in the handbook. ... Also I have not tested quagga in when the ipsec is in transport mode, and I guess I do need interfaces to use with quagga. ...
(freebsd-net)
Re: Wifi ipsec freebsd
... I too have set up a ipsec secured wireless network and this article ... Tunnel vs. transport mode was something I never fully understood. ... connection over wifi between a FreeBSD gateway and a Windows laptop. ...
(freebsd-questions)