Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Aug 2002 10:27:29 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Eric Masson <e-masson@kisoft-services.com>
Cc:        Matthew Grooms <mgrooms@seton.org>, dlavigne6@cogeco.ca, Mailing List FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject:   Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG to ipsec/racoon troubles, help please ...]
Message-ID:  <20020802172729.GA6880@blossom.cjclark.org>
In-Reply-To: <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com>
References:  <sd455602.090@aus-gwia.aus.dcnhs.org> <20020730074813.GF89241@blossom.cjclark.org> <86znw5r9h3.fsf_-_@notbsdems.nantes.kisoft-services.com> <86k7n9qv08.fsf@notbsdems.nantes.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Aug 02, 2002 at 02:56:39PM +0200, Eric Masson wrote:
> >>>>> "Emss" == Eric Masson <e-masson@kisoft-services.com> writes:
> >>>>> "Crist" == Crist J Clark <crist.clark@attbi.com> writes:
> 
> Follow-up to myself and -security re-added.
> 
>  Crist> I've never figured out why people use gif(4) interfaces when ESP
>  Crist> does the tunneling for you.
> 
>  Emss> Maybe because I've never succeeded establishing a esp tunnel
>  Emss> beetween two lans without gif(4).
> 
> I've tried without gif tunnel (erroneous rc.conf modification) and it
> works, maybe murphy's law had prevented this before ;)
> 
> There's one question still remaining :
> - if there are more than one esp tunnel configured, how is traffic
>   routed ?
> 
> Example :
> - One esp tunnel from 192.168.0.1 to 10.93.0.1
> - One esp tunnel from 192.168.0.1 to 10.44.0.1
> 
> With only one tunnel configured, netstat -rn on the security gateway
> doesn't show any routes to the remote networks nor host.
> 
> With a second tunnel added, are there any additionnal configuration
> steps or will the kernel do the routing automagically ?

It's pretty much automagically done by way of the SPD entry. Any
packet that matches the source and destination in the SPD gets put
through the appropriate tunnel with the specified end points. It's not
the same as the regular routing table and will not show up in 'netstat
-rn.'
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020802172729.GA6880>