The IPSEC documentation at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
e.g. notice where it shows
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
...
ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
('ipencap' is IP protocol 4, aka RFC 2003 encapsulation). The diagram
beneath makes this double-tunnelling explicit.
This is a really strange approach which is almost guaranteed not to
interoperate with other IPSEC gateways. (It might be useful if you were
using etherip encapsulation and attempting to bridge two remote networks,
but that's not what it's doing either. In any case, if you're encapsulating
with a different protocol then you only need IPSEC transport mode, not
tunnel mode)
ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely.
Do people here generally agree? If so I'll try to find the time to modify
it.
Regards,
Brian.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
