summaryrefslogtreecommitdiff
path: root/docs/vpn/ipsec.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/vpn/ipsec.rst')
-rw-r--r--docs/vpn/ipsec.rst13
1 files changed, 7 insertions, 6 deletions
diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst
index 8b0ad3b3..647f3753 100644
--- a/docs/vpn/ipsec.rst
+++ b/docs/vpn/ipsec.rst
@@ -4,9 +4,9 @@
IPsec
#####
-Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any
-other stateless tunnel protocol over IPsec) is the usual way to protect the
-traffic inside a tunnel.
+:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
+SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
+to protect the traffic inside a tunnel.
An advantage of this scheme is that you get a real interface with its own
address, which makes it easier to setup static routes or use dynamic routing
@@ -26,11 +26,12 @@ what needs to be changed to make it work with a different protocol. We assume
that IPsec will use pre-shared secret authentication and will use AES128/SHA1
for the cipher and hash. Adjust this as necessary.
-.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters
- have known issue with GRE processing
+.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
+ adapters have known issues with GRE processing.
+*************************
IPsec policy matching GRE
-^^^^^^^^^^^^^^^^^^^^^^^^^
+*************************
The first and arguably cleaner option is to make your IPsec policy match GRE
packets between external addresses of your routers. This is the best option if