gre encap destination = point-to-point destination

On Tue, Nov 07, 2006 at 05:32:20PM -0500, Thor Lancelot
Simon wrote:
> On Tue, Nov 07, 2006 at 08:39:16PM +0000, Michael van
Elst wrote:
> > tlsrek.tjls.com (Thor Lancelot Simon) writes:
> > 
> > >IPsec tunnel mode uses the encapsulation code
from gif(4).
> > 
> > Just to clarify, this is FAST_IPSEC code, not the
regular KAME.
> 
> No.  See how far you get with tunnel mode, with a KAME
kernel without
> gif compiled into it.

I admit that I never tried it before, but it seems to work
fine here.

henery% uname -a
NetBSD henery 3.1_RC4 NetBSD 3.1_RC4 (HENERY) #37: Wed Nov 
8 00:31:43
CET 2006  srchenery:/usr/obj/home/src/sys/arch/i386/compile/HENERY
i386

henery% config -x | egrep 'IPSEC|gif'
options         IPSEC           # IP security
options         IPSEC_ESP       # IP security (encryption
part; define w/IPSEC)
#options        IPSEC_NAT_T     # IPsec NAT traversal
(NAT-T)
#options        IPSEC_DEBUG     # debug for IP security
#pseudo-device  gif             4       # IPv[46] over
IPv[46] tunnel (RFC1933)

henery% sudo setkey -D
Password:
10.27.5.8 10.27.5.1 
        esp mode=tunnel spi=5569397(0x0054fb75)
reqid=0(0x00000000)
...
        seq=0x000000d0 replay=4 flags=0x00000000
state=mature 
        created: Nov  8 00:33:31 2006   current: Nov  8
00:35:54 2006
...
10.27.5.1 10.27.5.8 
        esp mode=tunnel spi=7715566(0x0075baee)
reqid=0(0x00000000)
...
        seq=0x000000bf replay=4 flags=0x00000000
state=mature 
        created: Nov  8 00:33:31 2006   current: Nov  8
00:35:54 2006
...


Saying this, I don't know if FAST_IPSEC is even using
gif(4).


-- 
                                Michael van Elst
Internet: mlelstvserpens.de
                                "A potential Snark may
lurk in every tree."