Re: IPSec VPNs: to gif or not to gif
From: Ruslan Ermilov (ru_at_FreeBSD.org)
Date: 10/22/03
- Previous message: Mike Tancsa: "Re: hardware crypto and SSL?"
- In reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: Matthew George: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Oct 2003 19:10:33 +0300 To: Jim Hatfield <subscriber@insignia.com>
On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote:
> I will shortly be replacing a couple of proprietary VPN boxes
> with a FreeBSD solution. Section 10.10 of the Handbook has a
> detailed description of how to do this.
>
> However I remember a lot of discussion about a year ago about
> whether the gif interface was necessary to set up VPNs like
> this or whether it was just a convenience, for "getting the
> routing right". A number of people said that gif was not
> needed but I've never found a step-by-step description of how
> to set up a lan-to-lan VPN without using it.
>
> Is the Handbook the current received wisdom on how to set this
> up, and is the use of the gif interface indeed necessary?
>
> I also remember that the discussions diverted into a problem
> with ipfw when gif was *not* used, but I haven't found any
> messages to indicate that it was resolved. I recall suggestions
> that a new interface esp0 be created so that ipfw could work
> correctly on both the innner and outer packets of an ESP tunnel.
>
> Was that issue ever resolved?
>
The gif(4) is not required for a proper operation of IPsec VPN,
but it could be of some convenience to have it. For example,
our VPN is currently built on IPsec without gif(4) interfaces,
and I have to add ugly "-net 192.168/16" routes through the
network interface with the 192.168.x.y primary address on the
IPsec gateways which also have external IP addresses, so that
"ping 192.168.z.a" selects the 192.168.x.y source address, and
the traffic is wrapped into IPsec. This works, but creates
lot of unneeded routes (unfilled ARP routes), and you cannot
easily watch the traffic by tcpdump(1) and ipfw(8). The use
of the gif(4) tunnels, and securing only them with IPsec,
like described in the Handbook, should fix all these problems,
so I'm seriously considering adding gif(4) tunnels.
Hope this is helpful.
Cheers,
-- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer
- application/pgp-signature attachment: stored
- Previous message: Mike Tancsa: "Re: hardware crypto and SSL?"
- In reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: Matthew George: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
