Re: IPSec VPNs: to gif or not to gif
From: Matthew George (mdg_at_secureworks.net)
Date: 10/22/03
- Previous message: Ruslan Ermilov: "Re: IPSec VPNs: to gif or not to gif"
- In reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: John: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Oct 2003 12:14:24 -0400 (EDT) To: Jim Hatfield <subscriber@insignia.com>
On Wed, 22 Oct 2003, Jim Hatfield wrote:
> However I remember a lot of discussion about a year ago about
> whether the gif interface was necessary to set up VPNs like
> this or whether it was just a convenience, for "getting the
> routing right". A number of people said that gif was not
> needed but I've never found a step-by-step description of how
> to set up a lan-to-lan VPN without using it.
>
> Is the Handbook the current received wisdom on how to set this
> up, and is the use of the gif interface indeed necessary?
I'm running fine without a gif interface ...
(replaced IP addresses are the public IP's of the machines)
spdadd 192.168.128.0/17[any] 192.168.0.0/17[any] any -P in ipsec esp/tunnel/a.b.c.d-w.x.y.z/require;
spdadd 192.168.0.0/17[any] 192.168.128.0/17[any] any -P out ipsec esp/tunnel/w.x.y.z-a.b.c.d/require;
(vice versa on the other host's setkey config)
... and then just standard remote and sainfo configs in racoon.conf
>
> I also remember that the discussions diverted into a problem
> with ipfw when gif was *not* used, but I haven't found any
> messages to indicate that it was resolved. I recall suggestions
> that a new interface esp0 be created so that ipfw could work
> correctly on both the innner and outer packets of an ESP tunnel.
>
> Was that issue ever resolved?
>
> jim hatfield
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
>
-- Matthew George SecureWorks Technical Operations _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Ruslan Ermilov: "Re: IPSec VPNs: to gif or not to gif"
- In reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: John: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
