> The IPSEC documentation at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html is > pretty weird. It suggests that you encapsulate your packets in IP-IP (gif) > encapsulation and THEN encapsulate that again using IPSEC tunnel mode. > > This is a really strange approach which is almost guaranteed not to > interoperate with other IPSEC gateways. (It might be useful if you were > using etherip encapsulation and attempting to bridge two remote networks, > but that's not what it's doing either. In any case, if you're encapsulating > with a different protocol then you only need IPSEC transport mode, not > tunnel mode)
While correct, note the scenario for which the configuration is describing: 14.10.3 The Scenario: Two networks, connected to the Internet, to behave as one. This is something I do all the time to connect retail outlets to the server at the head office. This double-encapsulation ensures that nobody can sniff my packets, which contain sensitive information such as credit card data (which is already encrypted via HTTPS, but you can't be too safe!) > ISTM that this chapter should be rewritten to use IPSEC tunnel mode solely. > Do people here generally agree? If so I'll try to find the time to modify > it. This perhaps would be a good _addition_ to the existing documentation -- it's likely a configuration that many would want to set up, especially to inter-operate with corporate networks (using commercial IPSec solutions) -- or for those who don't need the double-encapsulation. -- Matt Emmerton _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
