Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Jun 2012 13:12:01 +0600
From:      "Eugene M. Zheganin" <emz@norma.perm.ru>
To:        freebsd-net@freebsd.org
Subject:   Re: if_ipsec
Message-ID:  <4FD98EC1.50200@norma.perm.ru>
In-Reply-To: <20120609170721.GA40355@felucia.tataz.chchile.org>
References:  <4FD236D4.6090409@norma.perm.ru> <20120609170721.GA40355@felucia.tataz.chchile.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

On 09.06.2012 23:07, Jeremie Le Hen wrote:
> What it usually done for convenience is to create a gif(4) or gre(4) 
> tunnel to another network, which is then encrypted using IPSec 
> transport mode. The inner IP/GRE header is considered as the payload 
> and it is encrypted. The benefit of this approach is that you "see" 
> your tunnel, it looks more natural from a system point of view. I 
> haven't used IPSec in tunnel mode for more than a decades, so I don't 
> remember how it is manageable. But with the IPSec transport mode + 
> gif/gre tunnel, you see a full-fledged interface toward the other 
> network, through which you can route your traffic. 
Yeah, but nowadays this is sort of a legacy thing.
Modern router OSes, like IOS or JunOS operate the ipsec interfaces,  and 
these interfaces are visible in the system and are fully operation in 
the context of the dynamic routing, and I mean here sending/receiving 
packets from/to these interfaces. I just wanted FreeBSD to have such a 
capability.

Thank you for an explanation though. Seems like you read only the first 
few lines of my post. I am fully capable... whatever. Seems like I've 
already said this in my initial message.

Eugene.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD98EC1.50200>