>>>>> "Lars" == Lars Eggert <[EMAIL PROTECTED]> writes:

 Lars> Alternatively (and already working), you can replace IPsec tunnel
 Lars> mode with IPIP (gif) tunnels and transport mode, and then use the
 Lars> gif device in your firewall rules.

If transport mode can be used to connect to a pix, it's a solution to
consider, but atm, I've found no reference to such a setup on the pix.

I've tried gif tunnels with ipsec tunnel mode and didn't get
reproduceable results, this setup worked once with the following gif
setup :

#!/bin/sh

if ! PREFIX=$(expr $0 : "\(/.*\)/etc/rc\.d/${0##*/}\$"); then
    echo "$0: Cannot determine the PREFIX" >&2
    exit 1
fi

case "$1" in
start)
        # Setup Chantilly
        local_extern=XXX.XXX.XXX.XXX
        remote_extern=XXX.XXX.XXX.XXX
        local_intern=192.168.1.0
        remote_intern=192.168.0.0
        local_mask=255.255.255.0
        remote_mask=255.255.255.0

        ifconfig gif0 create
        ifconfig gif0 tunnel $local_extern $remote_extern
        ifconfig gif0 inet $local_intern netmask $local_mask $remote_intern netmask 
$remote_mask

        echo -n ' tunnel'
        ;;
stop)
        ifconfig gif0 destroy
        echo -n ' tunnel'
        ;;
*)
        echo "Usage: `basename $0` {start|stop}" >&2
        exit 64
        ;;
esac

exit 0

Next time, after a reboot (kernel switch) no packets were flowing thru
the gif tunnel.

I gave up and switched back to plain ipsec tunnel without gifs, hence
the original question.

Eric Masson

-- 
 PR> tu es en avance d'un an pour le nouveau millénaire
 il me semble que (2000) est bien le nouveau millenaire justement
 par contre on change de siecle l'annee prochaine en 2001
 -+- kiboot in http://www.le-gnu.net : Émile énerve pour l'an d'Émile.
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to