Date: Thu, 23 Oct 2003 15:29:02 +0100 From: Jim Hatfield <subscriber@insignia.com> To: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif Message-ID: <b7pfpv0mfrlrkm2kft1dnkjokusiigs7de@4ax.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com> References: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 Oct 2003 13:34:30 +0100, in local.freebsd.security you wrote: > >I use gif interfaces for my VPN's, and it works extremely well. The=20 >only other solution I think I would even try, is mpd, but that uses a=20 >much weaker protocol from what I know (PPTP).=20 > >It's so easy to use gif, I'm not sure why you wouldn't. Looking at the Handbook again, I'm even more confused now! I had decided that the IPSec processing must be using Transport mode, since the tunnelling was handled by the gif interface. But not so. The diagram right at the bottom of that section of the Handbook clearly shows that the original packet is encapsulated twice, once by IPSec Tunnel mode and once by the gif interface. To me, this just feels wrong. The packet only needs to be=20 encapsulated once, so why do it twice? It's an unnecessary use of bandwidth and processor time.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b7pfpv0mfrlrkm2kft1dnkjokusiigs7de>