Brian Candler (B.Candler) writes:
> The IPSEC documentation at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is
> pretty weird. It suggests that you encapsulate your packets in IP-IP (gif)
> encapsulation and THEN encapsulate that again using IPSEC tunnel mode.
> This is a really strange approach which is almost guaranteed not to
> interoperate with other IPSEC gateways.
It's probably for FreeBSD <-> FreeBSD setups, where it might make sense
to have an interface endpoint, rather than the "transparent" IPsec
approach -- otherwise it's not possible to route via the remote
endpoint, or apply filters at interface level before leaving the
gateway.
> with a different protocol then you only need IPSEC transport mode, not
> tunnel mode)
Yes, here using tunnel is indeed odd, it would make more sense
of using IPIP or just GRE in transport mode.
> ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely.
> Do people here generally agree? If so I'll try to find the time to modify
> it.
Or present both setups. If you do it, I'll contribute and review.
Phil
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
