From owner-freebsd-net@FreeBSD.ORG Tue Jan 10 01:29:19 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E55816A41F for ; Tue, 10 Jan 2006 01:29:19 +0000 (GMT) (envelope-from regnauld@starbsd.org) Received: from flow.starbsd.org (x0.dk [62.242.165.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id F366143D46 for ; Tue, 10 Jan 2006 01:29:18 +0000 (GMT) (envelope-from regnauld@starbsd.org) Received: by flow.starbsd.org (Postfix, from userid 1001) id 3C4EA17040; Mon, 9 Jan 2006 23:01:44 +0100 (CET) Date: Mon, 9 Jan 2006 23:01:43 +0100 From: Phil Regnauld To: Jeremie Le Hen Message-ID: <20060109220142.GD17334@flow.eu.org> References: <20051228143817.GA6898@uk.tiscali.com> <86lky5p7ik.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051228155545.GA7166@uk.tiscali.com> <20060109215312.GV90495@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060109215312.GV90495@obiwan.tataz.chchile.org> X-Operating-System: FreeBSD 6.0-STABLE i386 Organization: catpipe Systems ApS User-Agent: Mutt/1.5.9i Cc: freebsd-net@freebsd.org, Brian Candler Subject: Re: [fbsd] Re: IPSEC documentation X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2006 01:29:19 -0000 Jeremie Le Hen (jeremie) writes: > > I personally find the gif(4)/transport mode setup neater than the > single tunnel mode - though I am not aware of initial constrains > when IPSec RFCs were written - especially because one can look after the > traffic going through the VPN link in a very natural way. > As Brian pointed out, FreeBSD indeed lacks the enc(4) interface which > lives in OpenBSD. enc(4) is a kind of hook into the tunnel mode > providing a natural interface to it. Linux (FreeS/WAN) has a similar concept with the ipsec interface type. IMHO, both modes are useful. On a very large VPN concentrator with many tunnels being created and destroyed all the time, and possible several hundred connections at any given time, the interface table become big. Usually with so many tunnels, typical for roaming clients, I'll filter on the source IP (the remote end) at the moment of leaving the interface. One could argue that the gif/transport is cleaner in that it doesn't invent yet another interface type, but racoon/ipsec-tools isn't aware of it. The ideal would be to have the possibility of dynamically creating tun(4) devices representing the tunnel endpoints, if required, when phase2 has been established.