Date: Wed, 22 Oct 2003 15:53:52 -0500 From: John <strgout@unixjunkie.com> To: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif Message-ID: <20031022205352.GA60569@mail.unixjunkie.com> In-Reply-To: <u0qcpv0csl3lb1p6a8aioe7qjqjtvd6th9@4ax.com> References: <u0qcpv0csl3lb1p6a8aioe7qjqjtvd6th9@4ax.com>
index | next in thread | previous in thread | raw e-mail
On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote: > I will shortly be replacing a couple of proprietary VPN boxes > with a FreeBSD solution. Section 10.10 of the Handbook has a > detailed description of how to do this. > > However I remember a lot of discussion about a year ago about > whether the gif interface was necessary to set up VPNs like > this or whether it was just a convenience, for "getting the > routing right". A number of people said that gif was not > needed but I've never found a step-by-step description of how > to set up a lan-to-lan VPN without using it. > > Is the Handbook the current received wisdom on how to set this > up, and is the use of the gif interface indeed necessary? > > I also remember that the discussions diverted into a problem > with ipfw when gif was *not* used, but I haven't found any > messages to indicate that it was resolved. I recall suggestions > that a new interface esp0 be created so that ipfw could work > correctly on both the innner and outer packets of an ESP tunnel. > > Was that issue ever resolved? > > jim hatfield > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think one reason someone might want to use gif interfaces is becuase trasport mode ipsec doesn't require the peer address, if you then do a gif tunnel over the transport ipsec you have dynamic vpn based on a 509 cert or some crazy jazz like that. I however just do tunnel mode ipsec with no gif tunnel and packet filter to only allow protocol 50 and udp 500 to/from the remote peer. If any of the kame folks are watching, thanks for writing racoon!help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031022205352.GA60569>