IPSEC documentation
Matt Emmerton
matt at gsicomp.on.ca
Wed Dec 28 07:08:21 PST 2005
> The IPSEC documentation at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
> pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
> encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
>
> This is a really strange approach which is almost guaranteed not to
> interoperate with other IPSEC gateways. (It might be useful if you were
> using etherip encapsulation and attempting to bridge two remote networks,
> but that's not what it's doing either. In any case, if you're
encapsulating
> with a different protocol then you only need IPSEC transport mode, not
> tunnel mode)
While correct, note the scenario for which the configuration is describing:
14.10.3 The Scenario: Two networks, connected to the Internet, to behave as
one.
This is something I do all the time to connect retail outlets to the server
at the head office. This double-encapsulation ensures that nobody can sniff
my packets, which contain sensitive information such as credit card data
(which is already encrypted via HTTPS, but you can't be too safe!)
> ISTM that this chapter should be rewritten to use IPSEC tunnel mode
solely.
> Do people here generally agree? If so I'll try to find the time to modify
> it.
This perhaps would be a good _addition_ to the existing documentation --
it's likely a configuration that many would want to set up, especially to
inter-operate with corporate networks (using commercial IPSec solutions) --
or for those who don't need the double-encapsulation.
--
Matt Emmerton
More information about the freebsd-net
mailing list