Date: Wed, 22 Oct 2003 19:10:33 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Jim Hatfield <subscriber@insignia.com> Cc: freebsd-security@FreeBSD.org Subject: Re: IPSec VPNs: to gif or not to gif Message-ID: <20031022161033.GB41603@sunbay.com> In-Reply-To: <u0qcpv0csl3lb1p6a8aioe7qjqjtvd6th9@4ax.com> References: <u0qcpv0csl3lb1p6a8aioe7qjqjtvd6th9@4ax.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote: > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a=20 > detailed description of how to do this. >=20 > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not=20 > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. >=20 > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? >=20 > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. >=20 > Was that issue ever resolved? >=20 The gif(4) is not required for a proper operation of IPsec VPN, but it could be of some convenience to have it. For example, our VPN is currently built on IPsec without gif(4) interfaces, and I have to add ugly "-net 192.168/16" routes through the network interface with the 192.168.x.y primary address on the IPsec gateways which also have external IP addresses, so that "ping 192.168.z.a" selects the 192.168.x.y source address, and the traffic is wrapped into IPsec. This works, but creates lot of unneeded routes (unfilled ARP routes), and you cannot easily watch the traffic by tcpdump(1) and ipfw(8). The use of the gif(4) tunnels, and securing only them with IPsec, like described in the Handbook, should fix all these problems, so I'm seriously considering adding gif(4) tunnels. Hope this is helpful. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/lqv5Ukv4P6juNwoRAnSJAJ4iZ0oMsP6FF31D1TO3yQvqclJC4gCcCI3K O7GdJ34jvosZH8HOSV+b2Hw= =01LU -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031022161033.GB41603>