Hi.
On 14.06.2012 21:57, Jeremie Le Hen wrote:
Not at all, I read the whole mail thoroughly actually :-). But I don't
work on Cisco/Junipers equipements so I didn't exactly grasp what you
meant.
Okay. Actually, the whole idea is to 'simplify'. The conventional way of
creating IPSec makes you do a lot of stuff: creating policies, creating
tunnel interfaces, creating isakmp phase 1 and phase 2 proposals.
Cisco/Juniper equipment is pretty capable of doing all of this stuff too
(if you want fine-grained control), but by defaults they got rid of all
of this configuration, it works with defaults, and works fine. And the
gre setup is especially complicated when it comes to Juniper, because
they totally got rid of the policing mechanism, and there's no way in
JunOS (at least in 10.x-12.1) to define a policy about 'what kind of
traffic to encrypt with IPSec' like you can do in Linux/*BSD/Cisco. So
I'm afraid Cisco can lose this ability too. It is still possible to
build a FreeBSD - Juniper gre/ipsec tunnel (and I'm using them), but it
requires a twisted hack with routing on the Juniper side, and a pair of
_additional_ IP addresses.
So, complicated stuff on one side, ipsec interfaces (and some default
configs) on the other.
Eugene.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
