From owner-freebsd-net@freebsd.org  Thu Jul 20 22:33:18 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEAF1CFD813
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 20 Jul 2017 22:33:18 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9C1EB7F171
 for <freebsd-net@freebsd.org>; Thu, 20 Jul 2017 22:33:18 +0000 (UTC)
 (envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.sbone.de (Postfix) with ESMTPS id 4210D25D3A0E;
 Thu, 20 Jul 2017 22:33:08 +0000 (UTC)
Received: from content-filter.sbone.de (content-filter.sbone.de
 [IPv6:fde9:577b:c1a9:31::2013:2742])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPS id 7B89AD1F826;
 Thu, 20 Jul 2017 22:33:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587])
 by content-filter.sbone.de (content-filter.sbone.de
 [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024)
 with ESMTP id bN__13lYOBgW; Thu, 20 Jul 2017 22:33:06 +0000 (UTC)
Received: from [192.168.1.198] (unknown [IPv6:fde9:577b:c1a9:f001::2])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.sbone.de (Postfix) with ESMTPSA id 8463ED1F7F6;
 Thu, 20 Jul 2017 22:33:01 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: "Kajetan Staszkiewicz" <vegeta@tuxpowered.net>
Cc: "FreeBSD Net" <freebsd-net@freebsd.org>
Subject: Re: IPsec tunnel mode with gif
Date: Thu, 20 Jul 2017 22:32:58 +0000
Message-ID: <699EB97F-7235-4B1C-9C67-601CA89A4125@lists.zabbadoz.net>
In-Reply-To: <1865385.GS045ia5gu@energia>
References: <1865385.GS045ia5gu@energia>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; markup=markdown
X-Mailer: MailMate (2.0BETAr6088)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 22:33:19 -0000

On 20 Jul 2017, at 22:02, Kajetan Staszkiewicz wrote:

> Yet for a reason beyond my understanding FreeBSD handbook proposes a 
> 3rd mode:
> using a GIF tunnel together with IPSec tunnel mode. I really don't 
> understand
> how is that supposed to work. People On The Internet also seem not to 
> be able
..
> Am I wrong? Or is the Handbook wrong?

The handbook is outdated and I think what you are referring to is from 
the early days of the IPv6/IPsec stack implementation times probably 
during FreeBSD 4.

What you are doing (gre/gif inside transport mode to possibly get a 
link-state change as well, or BGP over transport mode directly is both 
fine.


I think the short answer:  updates to the handbook would be very 
welcome!

/bz