FW: iHEADS UP: ipsec packet filtering change
Subscriber
subscriber at insignia.com
Thu May 15 14:47:18 PDT 2003
> -----Original Message-----
> From: Greg Panula [mailto:greg.panula at dolaninformation.com]
> Sent: 12 May 2003 11:10
> To: Matthew Braithwaite
> Cc: stable at freebsd.org
> Subject: Re: iHEADS UP: ipsec packet filtering change
>
> You don't really need the gif tunnels for ipsec. Gif is more geared
> towards ipv4 <=> ipv6 type tunnels. A few of ipsec how-to's mention
> using gif tunnels and I've been tripped up by it, too.
>
> ipsec is much easier without the gif tunnels. The ipsec policy
> definition is explained in the setkey man page. Basically for tunnels
> it is: spdadd ${remote net} ${local net} any -P in ipsec
> esp/tunnel/${remote gateway}-${local gateway}/unqiue; and
> spdadd ${local
> net} ${remote net} any -P out ipsec esp/tunnel/${local
> gateway}-${remote
> gateway}/unique;
I have seen this said before. I've also seen it said that gif
is just a way of getting the routing right. But every single
practical example I have seen about how to set up a VPN link
between two Lans using FreeBSD boxes uses gif.
I'm using gif. If I take it out and just use plain setkey and
racoon, what should I substitute to get the packets addressed
to my office network sent through the tunnel?
Jim Hatfield
More information about the freebsd-stable
mailing list