I recently was reading the handbook on setting up a VPN using IPSec and I believe I've found a couple of bugs in the handbook. The following line is used to enable IPSec over the IP in IP tunnel:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/tunnel/A.B.C.D-W.X.Y.Z/require When I changed esp to ah, I was able to monitor the actual communication and I noticed that this caused an IP in IP in AH in IP tunnel instead of just IP in AH in IP. I think the line should read: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec \ esp/transport//require This seemed to generate the correct result when I was sniffing it with the AH protocol so I'm assuming it's the same situation with ESP. I think using the tunnel keyword is for a shortcut to setting up a gif tunnel which was already done and the ip address insides // should be the outer addresses where the first set of ip addresses is what is getting tunneled. Also, I needed to add the line gif_interfaces="gif0" to rc.conf, but this seems to be omitted from the manual. The last problem was with the line for the vpn static route: route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00" The netmask keyword should not be there so the line reads: route_vpn="192.168.2.0 192.168.2.1 0xffffff00" The handbook mentions AH which could be used with ESP, but does not say how. I think it would be convient for a quick example to be added like the following: spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec \ esp/transport//require ah/transport//require; I had to do a little research to figure out how to wrap then appropriately. -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"