Date: Fri, 21 Jul 2017 00:02:32 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: FreeBSD Net <freebsd-net@freebsd.org> Subject: IPsec tunnel mode with gif Message-ID: <1865385.GS045ia5gu@energia>
next in thread | raw e-mail | index | archive | help
--nextPart2906105.rck5h4RQ7z Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Hi group, =46or many years I have used the trick of running a GRE or GIF tunnel encry= pted=20 with IPSec transport mode, both on FreeBSD and Linux. That allows me to run= =20 BGP or OSPF on the tunnels. I am also aware of IPsec tunnel mode which kind of works for me, although i= s=20 not my personal choice. Both modes of operation seem quite straightforward. Yet for a reason beyond my understanding FreeBSD handbook proposes a 3rd mo= de:=20 using a GIF tunnel together with IPSec tunnel mode. I really don't understa= nd=20 how is that supposed to work. People On The Internet also seem not to be ab= le=20 to understand the reasoning behind such solution. Since IPSec stack provide= s=20 its own encapsulation in tunnel mode, packets coming to a router would neve= r=20 reach the GIF interface and would never be encapsulated by it. Same for=20 packets received, they would be deencapsulated by IPsec stack and reinjecte= d=20 with internal IP addresses on a public interface of router or they would=20 appear on enc0 interface if it is in use. Am I wrong? Or is the Handbook wrong? =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --nextPart2906105.rck5h4RQ7z Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWXEoeAAKCRDjtFCvbXs6 FCv5AKDPkIpLWpkxNNPeEbEVx6WjY3zgiACfYaAWlat+YvUoh7GkRF03KSliI0c= =gyN5 -----END PGP SIGNATURE----- --nextPart2906105.rck5h4RQ7z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1865385.GS045ia5gu>