Date: Fri, 21 Jul 2017 00:02:32 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: IPsec tunnel mode with gif Message-ID: <1865385.GS045ia5gu@energia>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi group, For many years I have used the trick of running a GRE or GIF tunnel encrypted with IPSec transport mode, both on FreeBSD and Linux. That allows me to run BGP or OSPF on the tunnels. I am also aware of IPsec tunnel mode which kind of works for me, although is not my personal choice. Both modes of operation seem quite straightforward. Yet for a reason beyond my understanding FreeBSD handbook proposes a 3rd mode: using a GIF tunnel together with IPSec tunnel mode. I really don't understand how is that supposed to work. People On The Internet also seem not to be able to understand the reasoning behind such solution. Since IPSec stack provides its own encapsulation in tunnel mode, packets coming to a router would never reach the GIF interface and would never be encapsulated by it. Same for packets received, they would be deencapsulated by IPsec stack and reinjected with internal IP addresses on a public interface of router or they would appear on enc0 interface if it is in use. Am I wrong? Or is the Handbook wrong? -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXEoeAAKCRDjtFCvbXs6 FCv5AKDPkIpLWpkxNNPeEbEVx6WjY3zgiACfYaAWlat+YvUoh7GkRF03KSliI0c= =gyN5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1865385.GS045ia5gu>