vpn trouble
Eric W. Bates
ericx at ericx.net
Tue Jun 22 19:29:10 UTC 2010
On 6/22/2010 2:22 PM, David DeSimone wrote:
> Maciej Suszko<maciej at suszko.eu> wrote:
>>
>>> So as you write they should set: ??
>>> 10.20.0.1 (my ip on gif device)<-> 78.x<-> 95.x<-> 10.10.1.90
>>> (other side)
>>
>> Yes, indeed.
>>
>>> And additionaly I thing I should correct set spd policy to:
>>>
>>> spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
>>> esp/tunnel/78.x.x.x-95.x.x.x/require;
>>> spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
>>> esp/tunnel/95.x.x.x-78.x.x.x/require;
>>>
>>> Am I wrong?
>>
>> No, you're right :)
>>
>> You can set up the tunnel first - check whether both 10. are accessible
>> from both sides, then you "cover" communication between them with IPSEC.
>
> Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint
> VPN equipment? In our tests we were able to use pure IPSEC tunnel
> encapsulation to interoperate with these sorts of devices, so we never
> found a need for GIF encapsulation.
>
I managed to do an IP in IP tunnel with IPsec encryption between a
FreeBSD and a cisco router running 12.1(mumble) several years ago.
It is a desirable option if you want to use routing (e.g. ospf). You
can't route an IPSec tunnel (actually, is this now possible with enc0
interfaces?) but you can route to the gif interfaces.
http://rfc-ref.org/RFC-TEXTS/3884/
More information about the freebsd-net
mailing list