On 6/22/2010 2:22 PM, David DeSimone wrote:
Maciej Suszko<mac...@suszko.eu> wrote:
So as you write they should set: ??
10.20.0.1 (my ip on gif device)<-> 78.x<-> 95.x<-> 10.10.1.90
(other side)
Yes, indeed.
And additionaly I thing I should correct set spd policy to:
spdadd 10.20.0.1 10.10.1.90 any -P out ipsec
esp/tunnel/78.x.x.x-95.x.x.x/require;
spdadd 10.10.1.90 10.20.0.1 any -P in ipsec
esp/tunnel/95.x.x.x-78.x.x.x/require;
Am I wrong?
No, you're right :)
You can set up the tunnel first - check whether both 10. are accessible
from both sides, then you "cover" communication between them with IPSEC.
Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint
VPN equipment? In our tests we were able to use pure IPSEC tunnel
encapsulation to interoperate with these sorts of devices, so we never
found a need for GIF encapsulation.
I managed to do an IP in IP tunnel with IPsec encryption between a
FreeBSD and a cisco router running 12.1(mumble) several years ago.
It is a desirable option if you want to use routing (e.g. ospf). You
can't route an IPSec tunnel (actually, is this now possible with enc0
interfaces?) but you can route to the gif interfaces.
http://rfc-ref.org/RFC-TEXTS/3884/
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
