FW: iHEADS UP: ipsec packet filtering change

Subscriber subscriber at insignia.com
Thu May 15 14:47:18 PDT 2003


> -----Original Message-----
> From: Greg Panula [mailto:greg.panula at dolaninformation.com]
> Sent: 12 May 2003 11:10
> To: Matthew Braithwaite
> Cc: stable at freebsd.org
> Subject: Re: iHEADS UP: ipsec packet filtering change
> 
> You don't really need the gif tunnels for ipsec.  Gif is more geared
> towards ipv4 <=> ipv6 type tunnels.  A few of ipsec how-to's mention
> using gif tunnels and I've been tripped up by it, too.
> 
> ipsec is much easier without the gif tunnels.  The ipsec policy
> definition is explained in the setkey man page.  Basically for tunnels
> it is: spdadd ${remote net} ${local net} any -P in ipsec
> esp/tunnel/${remote gateway}-${local gateway}/unqiue; and 
> spdadd ${local
> net} ${remote net} any -P out ipsec esp/tunnel/${local 
> gateway}-${remote
> gateway}/unique;

I have seen this said before. I've also seen it said that gif
is just a way of getting the routing right. But every single
practical example I have seen about how to set up a VPN link
between two Lans using FreeBSD boxes uses gif.

I'm using gif. If I take it out and just use plain setkey and
racoon, what should I substitute to get the packets addressed
to my office network sent through the tunnel?

Jim Hatfield


More information about the freebsd-stable mailing list