VPN with FAST_IPSEC and ipsec tools
David DeSimone
fox at verio.net
Fri Jun 16 15:43:12 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian Candler <B.Candler at pobox.com> wrote:
>
> Ah, I guess this means you're following the instructions in the
> FreeBSD handbook, which last time I looked gave a most bizarre and
> unnecessary way of setting up IPSEC (GIF tunneling running on top of
> IPSEC *tunnel* mode). I raised it on this list before.
I ran into the same thing when analyzing the handbook's examples, and
quickly abandoned the handbook when writing my own configs.
> Most people are better off just setting up IPSEC tunnel mode. A few
> use GIF running on top of IPSEC _transport_ mode (e.g. those running
> routing protocols like OSPF over tunnels)
The main reason to use IPSEC tunnel mode and avoid GIF is that such a
config is interoperable with other IPSEC implementations (Cisco,
Checkpoint, etc), and thus is much more useful in the real world.
- --
David DeSimone == Network Admin == fox at verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEktGKFSrKRjX5eCoRAq7JAJwIljDoGlZu+PDcFRT8842UpvXPkwCfZP8l
IXMhmlNoy/++m/CxIoIhfHI=
=ftpL
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list