IPSEC documentation

[Matt Emmerton]

> The IPSEC documentation at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
> pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
> encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
>
> This is a really strange approach which is almost guaranteed not to
> interoperate with other IPSEC gateways. (It might be useful if you were
> using etherip encapsulation and attempting to bridge two remote networks,
> but that's not what it's doing either. In any case, if you're
encapsulating
> with a different protocol then you only need IPSEC transport mode, not
> tunnel mode)

While correct, note the scenario for which the configuration is describing:

14.10.3 The Scenario: Two networks, connected to the Internet, to behave as
one.

This is something I do all the time to connect retail outlets to the server
at the head office.  This double-encapsulation ensures that nobody can sniff
my packets, which contain sensitive information such as credit card data
(which is already encrypted via HTTPS, but you can't be too safe!)

> ISTM that this chapter should be rewritten to use IPSEC tunnel mode
solely.
> Do people here generally agree? If so I'll try to find the time to modify
> it.

This perhaps would be a good _addition_ to the existing documentation -- 
it's likely a configuration that many would want to set up, especially to
inter-operate with corporate networks (using commercial IPSec solutions) -- 
or for those who don't need the double-encapsulation.

--
Matt Emmerton