Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Dec 2005 19:07:21 +0000
From:      Brian Candler <B.Candler@pobox.com>
To:        Eric Masson <e-masson@kisoft-services.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: IPSEC documentation
Message-ID:  <20051228190721.GB7695@uk.tiscali.com>
In-Reply-To: <86d5jhp590.fsf@srvbsdnanssv.interne.kisoft-services.com>
References:  <20051228143817.GA6898@uk.tiscali.com> <86lky5p7ik.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051228155545.GA7166@uk.tiscali.com> <86d5jhp590.fsf@srvbsdnanssv.interne.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Dec 28, 2005 at 05:15:39PM +0100, Eric Masson wrote:
> Brian Candler <B.Candler@pobox.com> writes:
> 
> > OK, I'll buy gif + IPSEC transport mode as an option. [Although in that
> > case, perhaps what you want is an external IPSEC tunnel mode implementation
> > which attaches to a 'tun' device. That's yet another category which I hadn't
> > even considered]
> 
> Any url describing this setup please ?

I don't know definitively.

security/vpnc works fine for me as a client for talking to a Cisco VPN
concentrator. I think that's IPSEC tunnel mode + PSK + XAUTH (which can also
assign an IP address and insert routes into your forwarding table)

There's net/pipsecd in ports. Its version is 19991014. I have no idea if it
still works.

I know of non-IPSEC solutions using tun (OpenVPN, TINC). I also know of
userland IPSEC solutions which I don't think run under FreeBSD (FreeS/WAN,
OpenS/WAN).

All a bit of a nightmare really. Documentation would be good :-)

> > I still think that gif + IPSEC tunnel mode (as currently documented) is not
> > a good approach, especially if it's the *only* mode of operation to be
> > documented and hence implicitly recommended as the 'right' way to do it.
> 
> Well, ipsec section of the handbook is probably not the best one, I'd
> like to see it extended with the sections you talked about in this
> thread. Maybe it's time to submit patches...

Sure. I first just wanted to check that there wasn't something I was
missing.

Regards,

Brian.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051228190721.GB7695>