On Tue, Nov 07, 2006 at 05:32:20PM -0500, Thor Lancelot Simon wrote:
> On Tue, Nov 07, 2006 at 08:39:16PM +0000, Michael van Elst wrote:
> > tls@rek.tjls.com (Thor Lancelot Simon) writes:
> > 
> > >IPsec tunnel mode uses the encapsulation code from gif(4).
> > 
> > Just to clarify, this is FAST_IPSEC code, not the regular KAME.
> 
> No.  See how far you get with tunnel mode, with a KAME kernel without
> gif compiled into it.

I admit that I never tried it before, but it seems to work fine here.

henery% uname -a
NetBSD henery 3.1_RC4 NetBSD 3.1_RC4 (HENERY) #37: Wed Nov  8 00:31:43
CET 2006  src@henery:/usr/obj/home/src/sys/arch/i386/compile/HENERY i386

henery% config -x | egrep 'IPSEC|gif'
options         IPSEC           # IP security
options         IPSEC_ESP       # IP security (encryption part; define w/IPSEC)
#options        IPSEC_NAT_T     # IPsec NAT traversal (NAT-T)
#options        IPSEC_DEBUG     # debug for IP security
#pseudo-device  gif             4       # IPv[46] over IPv[46] tunnel (RFC1933)

henery% sudo setkey -D
Password:
10.27.5.8 10.27.5.1 
        esp mode=tunnel spi=5569397(0x0054fb75) reqid=0(0x00000000)
...
        seq=0x000000d0 replay=4 flags=0x00000000 state=mature 
        created: Nov  8 00:33:31 2006   current: Nov  8 00:35:54 2006
...
10.27.5.1 10.27.5.8 
        esp mode=tunnel spi=7715566(0x0075baee) reqid=0(0x00000000)
...
        seq=0x000000bf replay=4 flags=0x00000000 state=mature 
        created: Nov  8 00:33:31 2006   current: Nov  8 00:35:54 2006
...


Saying this, I don't know if FAST_IPSEC is even using gif(4).


-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."