IPSEC documentation
Nate Nielsen
nielsen-list at memberwebs.com
Sun Jan 1 12:24:46 PST 2006
Brian Candler wrote:
> The IPSEC documentation at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
> pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
> encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
<snip>
> This is a really strange approach which is almost guaranteed not to
> interoperate with other IPSEC gateways. (It might be useful if you were
> using etherip encapsulation and attempting to bridge two remote networks,
> but that's not what it's doing either. In any case, if you're encapsulating
> with a different protocol then you only need IPSEC transport mode, not
> tunnel mode)
That's what I've found the easiest: Encapsulation with gif tunnels and
then IPSec transport mode encryption.
Due to the way IPSec Tunnel mode is implemented routing protocols don't
work well over it (ie: most routing protocols need an interface and next
hop).
> ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely.
> Do people here generally agree? If so I'll try to find the time to modify
> it.
I'd suggest adding, not replacing.
Cheers,
Nate
More information about the freebsd-net
mailing list