From owner-freebsd-security@FreeBSD.ORG Thu Oct 23 07:29:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DF3F16A4BF for ; Thu, 23 Oct 2003 07:29:05 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7624243F3F for ; Thu, 23 Oct 2003 07:29:04 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h9NET3f2064015 for ; Thu, 23 Oct 2003 15:29:03 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h9NET2SX085053 for ; Thu, 23 Oct 2003 15:29:02 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Thu, 23 Oct 2003 15:29:02 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C3674B2FAB@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.38 Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 14:29:05 -0000 On Wed, 22 Oct 2003 13:34:30 +0100, in local.freebsd.security you wrote: > >I use gif interfaces for my VPN's, and it works extremely well. The=20 >only other solution I think I would even try, is mpd, but that uses a=20 >much weaker protocol from what I know (PPTP).=20 > >It's so easy to use gif, I'm not sure why you wouldn't. Looking at the Handbook again, I'm even more confused now! I had decided that the IPSec processing must be using Transport mode, since the tunnelling was handled by the gif interface. But not so. The diagram right at the bottom of that section of the Handbook clearly shows that the original packet is encapsulated twice, once by IPSec Tunnel mode and once by the gif interface. To me, this just feels wrong. The packet only needs to be=20 encapsulated once, so why do it twice? It's an unnecessary use of bandwidth and processor time.