>>>>> "Lars" == Lars Eggert <[EMAIL PROTECTED]> writes:
Lars> Alternatively (and already working), you can replace IPsec tunnel
Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
Lars> gif device in your firewall rules.
If transport mode can be used to connect to a pix, it's a solution to
consider, but atm, I've found no reference to such a setup on the pix.
I've tried gif tunnels with ipsec tunnel mode and didn't get
reproduceable results, this setup worked once with the following gif
setup :
#!/bin/sh
if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${0##*/}\$"); then
echo "$0: Cannot determine the PREFIX" >&2
exit 1
fi
case "$1" in
start)
# Setup Chantilly
local_extern=XXX.XXX.XXX.XXX
remote_extern=XXX.XXX.XXX.XXX
local_intern=192.168.1.0
remote_intern=192.168.0.0
local_mask=255.255.255.0
remote_mask=255.255.255.0
ifconfig gif0 create
ifconfig gif0 tunnel $local_extern $remote_extern
ifconfig gif0 inet $local_intern netmask $local_mask $remote_intern netmask
$remote_mask
echo -n ' tunnel'
;;
stop)
ifconfig gif0 destroy
echo -n ' tunnel'
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
exit 64
;;
esac
exit 0
Next time, after a reboot (kernel switch) no packets were flowing thru
the gif tunnel.
I gave up and switched back to plain ipsec tunnel without gifs, hence
the original question.
Eric Masson
--
PR> tu es en avance d'un an pour le nouveau millénaire
il me semble que (2000) est bien le nouveau millenaire justement
par contre on change de siecle l'annee prochaine en 2001
-+- kiboot in http://www.le-gnu.net : Émile énerve pour l'an d'Émile.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
