William Waites wrote:
> 
> Once, Dave Burgess did write:
>  > I just finished a huge message to the IPsec FAQ folks, describing in
>  > gory detail what I'm trying to do with a VPN here.  It sounds very
>  > simple, but I've been at it for a month and I can't get it squared away.
>  >
>  > I have the IPsec SAD and SPD set up correctly (as near as I can tell).
>  >
>  > Here is the general setup (read this down, the original was WAY too
>  > wide):
>  >
>  > About 50 computers      192.168.0.x/24
>  >
>  > Firewall                192.168.0.1
>  > + NetBSD 1.5            204.248.21.50
>  >
>  > The Internet            204.248.22.129
>  >
>  > Firewall                204.248.21.62
>  > + NetBSD 1.5            192.168.1.1
>  >
>  > About 2 computers      192.168.1.x/24
>  >
>  > Simple right?  You'd think so.
> 
> How have you configured the tunnel between the firewalls? IPSec in
> tunnel mode is different from using gif interfaces, although
> personally I prefer your approach.
> 
> You need some address space on the gif tunnel, though; i.e.:
> 
> On firewall #1:
> 
> ifconfig gif0 create
> ifconfig gif0 tunnel 204.248.21.50 204.248.21.62
> ifconfig gif0 172.16.0.1 netmask 255.255.255.252
> route add -net 192.168.1.0 -netmask 255.255.255.0 172.16.0.2
> 
> On firewall #2:
> ifconfig gif0 create
> ifconfig gif0 tunnel 204.248.21.62 4.248.21.50
> ifconfig gif0 172.16.0.2 netmask 255.255.255.252
> route add -net 192.168.0.0 -netmask 255.255.255.0 172.16.0.1
> 
> and then set up IPSec to encrypt in transport mode (as opposed to
> tunnel mode) between 204.248.21.50 ans 204.248.21.62 and vice
> versa.
> 
> Using gif tunnels like this is nice, especially with more
> complicated setups since you can run routing protocols over
> them..

I just tried your suggestion.  It didn't help.

I'll pick it up tomorrow when I can access the servers again. It
disappeared after I tried setting the transport SPD.