IPSec VPNs: to gif or not to gif

From: Jim Hatfield (subscriber_at_insignia.com)
Date: 10/22/03

  • Next message: Lukas Maly: "Re: IPSec VPNs: to gif or not to gif" 
    To: freebsd-security@freebsd.org
Date: Wed, 22 Oct 2003 12:28:45 +0100

    I will shortly be replacing a couple of proprietary VPN boxes
    with a FreeBSD solution. Section 10.10 of the Handbook has a
    detailed description of how to do this.

    However I remember a lot of discussion about a year ago about
    whether the gif interface was necessary to set up VPNs like
    this or whether it was just a convenience, for "getting the
    routing right". A number of people said that gif was not
    needed but I've never found a step-by-step description of how
    to set up a lan-to-lan VPN without using it.

    Is the Handbook the current received wisdom on how to set this
    up, and is the use of the gif interface indeed necessary?

    I also remember that the discussions diverted into a problem
    with ipfw when gif was *not* used, but I haven't found any
    messages to indicate that it was resolved. I recall suggestions
    that a new interface esp0 be created so that ipfw could work
    correctly on both the innner and outer packets of an ESP tunnel.

    Was that issue ever resolved?

    jim hatfield
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Lukas Maly: "Re: IPSec VPNs: to gif or not to gif"

    Relevant Pages

    • Re: IPSec VPNs: to gif or not to gif
      ... > whether the gif interface was necessary to set up VPNs like ... > Is the Handbook the current received wisdom on how to set this ... do a gif tunnel over the transport ipsec you have dynamic vpn based ... I however just do tunnel mode ipsec with no gif tunnel and packet filter ...
      (FreeBSD-Security)
    • Re: IPSec VPNs: to gif or not to gif
      ... JH> whether the gif interface was necessary to set up VPNs like ... JH> to set up a lan-to-lan VPN without using it. ... because i can not see packets that pass through gif interface. ... JH> Is the Handbook the current received wisdom on how to set this ...
      (FreeBSD-Security)
    • Re: How are interfaces initialized?
      ... > prior to the script running, the rule that would allow traffic to pass ... > and traffic on the device would be allowed when the vpn activated it. ... VPNs use the gif interface, not the tun interface...And there are ...
      (comp.unix.bsd.freebsd.misc)
    • Re: IPSec VPNs: to gif or not to gif
      ... > whether the gif interface was necessary to set up VPNs like ... > Is the Handbook the current received wisdom on how to set this ... The gifis not required for a proper operation of IPsec VPN, ...
      (FreeBSD-Security)
    • Re: IPSec VPNs: to gif or not to gif
      ... On Wed, 22 Oct 2003, Jim Hatfield wrote: ... > whether the gif interface was necessary to set up VPNs like ... I use VPN with gif device. ... Create and set tunnel. ...
      (FreeBSD-Security)