>> * Most users seem to use gif devices to setup the tunnels instead of IPsec
>> tunnels, Why?
>gif is the name of the device used to implement tunneling.
>> What ports/protocols do I need to allow through a firewall to allow gif and
>> IPsec to work?
>gif isn't a protocol, it's an interface name. Check /etc/protocols
>for the protocol number of the AH and ESP protocols, which IPSEC uses
>depending on which mode you run it in.
summary: if you would like to interoperate with other devices,
use IPsec tunnel mode policy, not gif.
IPsec tunnel is specified in RFC2401. gif works as specified in
RFC1993.
if you configure an IPsec tunnel by using IPsec policy (like "spdadd
foo baa tunnel"), the encapsulation will strictly conform to RFC2401.
you can create a similar packet by using IPsec transport mode against
gif-encapsulated packet, however, it does not look exactly the same.
if the other end is picky about packet format, they may drop it
because it does not conform to RFC2401.
itojun
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
