FW: iHEADS UP: ipsec packet filtering change

Stacy Millions stacy at millions.ca
Thu May 15 15:35:02 PDT 2003


Subscriber wrote:
>>-----Original Message-----
>>From: Greg Panula [mailto:greg.panula at dolaninformation.com]
>>Sent: 12 May 2003 11:10
>>To: Matthew Braithwaite
>>Cc: stable at freebsd.org
>>Subject: Re: iHEADS UP: ipsec packet filtering change
>>
>>You don't really need the gif tunnels for ipsec.  Gif is more geared
>>towards ipv4 <=> ipv6 type tunnels.  A few of ipsec how-to's mention
>>using gif tunnels and I've been tripped up by it, too.
>>
>>ipsec is much easier without the gif tunnels.  The ipsec policy
>>definition is explained in the setkey man page.  Basically for tunnels
>>it is: spdadd ${remote net} ${local net} any -P in ipsec
>>esp/tunnel/${remote gateway}-${local gateway}/unqiue; and 
>>spdadd ${local
>>net} ${remote net} any -P out ipsec esp/tunnel/${local 
>>gateway}-${remote
>>gateway}/unique;
> 
> 
> I have seen this said before. I've also seen it said that gif
> is just a way of getting the routing right. But every single
> practical example I have seen about how to set up a VPN link
> between two Lans using FreeBSD boxes uses gif.
> 
> I'm using gif. If I take it out and just use plain setkey and
> racoon, what should I substitute to get the packets addressed
> to my office network sent through the tunnel?
> 

I have set up IPSec VPN from FreeBSD to:

1) Win2k
2) Linux (FreeS/WAN)
3) Check point VPN-1 and
4) FreeBSD

Never, in any situation, did I use a GIF tunnel. You don't have to
do anything to get your packets routed through the VPN, if the packet
matches a policy entry in the SPD it is shipped out the VPN, otherwise
it is routed normal.

-stacy




More information about the freebsd-stable mailing list