Date: Tue, 22 Jun 2010 15:12:15 -0400 From: "Eric W. Bates" <ericx@ericx.net> To: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <4C210B0F.6060203@ericx.net> In-Reply-To: <20100622182242.GU2620@verio.net> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/22/2010 2:22 PM, David DeSimone wrote: > Maciej Suszko<maciej@suszko.eu> wrote: >> >>> So as you write they should set: ?? >>> 10.20.0.1 (my ip on gif device)<-> 78.x<-> 95.x<-> 10.10.1.90 >>> (other side) >> >> Yes, indeed. >> >>> And additionaly I thing I should correct set spd policy to: >>> >>> spdadd 10.20.0.1 10.10.1.90 any -P out ipsec >>> esp/tunnel/78.x.x.x-95.x.x.x/require; >>> spdadd 10.10.1.90 10.20.0.1 any -P in ipsec >>> esp/tunnel/95.x.x.x-78.x.x.x/require; >>> >>> Am I wrong? >> >> No, you're right :) >> >> You can set up the tunnel first - check whether both 10. are accessible >> from both sides, then you "cover" communication between them with IPSEC. > > Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint > VPN equipment? In our tests we were able to use pure IPSEC tunnel > encapsulation to interoperate with these sorts of devices, so we never > found a need for GIF encapsulation. > I managed to do an IP in IP tunnel with IPsec encryption between a FreeBSD and a cisco router running 12.1(mumble) several years ago. It is a desirable option if you want to use routing (e.g. ospf). You can't route an IPSec tunnel (actually, is this now possible with enc0 interfaces?) but you can route to the gif interfaces. http://rfc-ref.org/RFC-TEXTS/3884/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C210B0F.6060203>