Date: Thu, 14 Jun 2012 17:57:48 +0200 From: Jeremie Le Hen <jlh@FreeBSD.org> To: "Eugene M. Zheganin" <emz@norma.perm.ru> Cc: freebsd-net@freebsd.org Subject: Re: if_ipsec Message-ID: <20120614155748.GC40355@felucia.tataz.chchile.org> In-Reply-To: <4FD98EC1.50200@norma.perm.ru> References: <4FD236D4.6090409@norma.perm.ru> <20120609170721.GA40355@felucia.tataz.chchile.org> <4FD98EC1.50200@norma.perm.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene On Thu, Jun 14, 2012 at 01:12:01PM +0600, Eugene M. Zheganin wrote: > Hi, > > On 09.06.2012 23:07, Jeremie Le Hen wrote: > > What it usually done for convenience is to create a gif(4) or gre(4) > > tunnel to another network, which is then encrypted using IPSec > > transport mode. The inner IP/GRE header is considered as the payload > > and it is encrypted. The benefit of this approach is that you "see" > > your tunnel, it looks more natural from a system point of view. I > > haven't used IPSec in tunnel mode for more than a decades, so I don't > > remember how it is manageable. But with the IPSec transport mode + > > gif/gre tunnel, you see a full-fledged interface toward the other > > network, through which you can route your traffic. > Yeah, but nowadays this is sort of a legacy thing. > Modern router OSes, like IOS or JunOS operate the ipsec interfaces, and > these interfaces are visible in the system and are fully operation in > the context of the dynamic routing, and I mean here sending/receiving > packets from/to these interfaces. I just wanted FreeBSD to have such a > capability. > > Thank you for an explanation though. Seems like you read only the first > few lines of my post. I am fully capable... whatever. Seems like I've > already said this in my initial message. Not at all, I read the whole mail thoroughly actually :-). But I don't work on Cisco/Junipers equipements so I didn't exactly grasp what you meant. By explaining what I know about IPSec on FreeBSD, I didn't mean to let you think you aren't capable -- and I'm sorry if you take it that way -- it was just to engage you to explain things with regards to what I know. Now I understand that what you are actually proposing is basically to make IPSec in tunnel mode create a virtual interface. I don't know why it has never been done so far. -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120614155748.GC40355>