Re: IPSEC config

From: Michael Proto (
Date: 09/13/01

Date: Thu, 13 Sep 2001 15:54:09 -0400 (EDT)
From: Michael Proto <>
To: Paul Root <>


Have you used ifconfig to setup the inside points of your gif tunnel?
gifconfig only sets the outside IP addresses of your security gateways.
You still need to use ifconfig to set the point-to-point link on the

for ex:

Gateway A:
public IP:
private net IP:

Gateway B:
public IP:
private net IP:

on Gateway A:
gifconfig gif0
ifconfig gif0 inet netmask

and vice versa on Gateway B.

From the looks of it, you seem to be missing the 'inside IP' configuration
of your gif tunnels.

Good luck,
Michael Proto

On Thu, 13 Sep 2001, Paul Root wrote:

> Hi,
> I'm trying to setup a IPSec tunnel and am having trouble.
> Both machines are 4.4 RC3 (I think, last week). And when I set it up
> for a transport between the two machines it works fine, so racoon
> must be fine.
> I'm following the IPsec mini-HOWTO from January 2001 daemonnews.
> Here's my config on one end:
> #!/bin/sh
> # These commands need to be run on acesfbsd to
> # connect to lorax, in a IPSEC test
> #
> # Setup the tunnel device.
> gifconfig gif0
> #
> # The next 2 lines delete all existing entries
> # from the SPD and SAD
> setkey -FP
> setkey -F
> # Add the policy
> setkey -c <<EOF
> spdadd any -P out ipsec
> esp/tunnel/;
> spdadd any -P in ipsec
> esp/tunnel/;
> The man page on gif and gifconfig are vague to me, but I think I've
> got it, those are the actual addresses of the boxes right? Also, the
> howto had transport instead of tunnel in the spdadd lines but
> the man page suggests tunnel.
> I'm sure I'm doing something horribly wrong.
> Thanks,
> Paul.

Michael Proto                      |
Security Engineer, EarthLink Inc.  | (404)815-0770 x22114
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message