Once, Dave Burgess did write:
 > I just finished a huge message to the IPsec FAQ folks, describing in
 > gory detail what I'm trying to do with a VPN here.  It sounds very
 > simple, but I've been at it for a month and I can't get it squared away.
 > 
 > I have the IPsec SAD and SPD set up correctly (as near as I can tell).
 > 
 > Here is the general setup (read this down, the original was WAY too
 > wide):
 > 
 > About 50 computers      192.168.0.x/24
 > 
 > Firewall                192.168.0.1
 > + NetBSD 1.5            204.248.21.50
 > 
 > The Internet            204.248.22.129  
 > 
 > Firewall                204.248.21.62
 > + NetBSD 1.5            192.168.1.1
 > 
 > About 2 computers      192.168.1.x/24
 > 
 > Simple right?  You'd think so.

How have you configured the tunnel between the firewalls? IPSec in 
tunnel mode is different from using gif interfaces, although
personally I prefer your approach. 

You need some address space on the gif tunnel, though; i.e.:

On firewall #1:

ifconfig gif0 create
ifconfig gif0 tunnel 204.248.21.50 204.248.21.62
ifconfig gif0 172.16.0.1 netmask 255.255.255.252
route add -net 192.168.1.0 -netmask 255.255.255.0 172.16.0.2

On firewall #2:
ifconfig gif0 create
ifconfig gif0 tunnel 204.248.21.62 4.248.21.50
ifconfig gif0 172.16.0.2 netmask 255.255.255.252
route add -net 192.168.0.0 -netmask 255.255.255.0 172.16.0.1

and then set up IPSec to encrypt in transport mode (as opposed to
tunnel mode) between 204.248.21.50 ans 204.248.21.62 and vice
versa.

Using gif tunnels like this is nice, especially with more
complicated setups since you can run routing protocols over
them...

Cheers,
-w
-- 
____________
Will Waites \________________________
Minister of Research and Development \____________
Idiosyntactix Strategic Arts and Science Alliance \