Re: IPSec VPNs: to gif or not to gif

From: John (strgout_at_unixjunkie.com)
Date: 10/22/03

  • Next message: Jonathan M. Bresler: "Re: hardware crypto and SSL?" 
    Date: Wed, 22 Oct 2003 15:53:52 -0500
To: freebsd-security@freebsd.org

    On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote:
    > I will shortly be replacing a couple of proprietary VPN boxes
    > with a FreeBSD solution. Section 10.10 of the Handbook has a
    > detailed description of how to do this.
    >
    > However I remember a lot of discussion about a year ago about
    > whether the gif interface was necessary to set up VPNs like
    > this or whether it was just a convenience, for "getting the
    > routing right". A number of people said that gif was not
    > needed but I've never found a step-by-step description of how
    > to set up a lan-to-lan VPN without using it.
    >
    > Is the Handbook the current received wisdom on how to set this
    > up, and is the use of the gif interface indeed necessary?
    >
    > I also remember that the discussions diverted into a problem
    > with ipfw when gif was *not* used, but I haven't found any
    > messages to indicate that it was resolved. I recall suggestions
    > that a new interface esp0 be created so that ipfw could work
    > correctly on both the innner and outer packets of an ESP tunnel.
    >
    > Was that issue ever resolved?
    >
    > jim hatfield
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    I think one reason someone might want to use gif interfaces is becuase
    trasport mode ipsec doesn't require the peer address, if you then
    do a gif tunnel over the transport ipsec you have dynamic vpn based
    on a 509 cert or some crazy jazz like that.

    I however just do tunnel mode ipsec with no gif tunnel and packet filter
    to only allow protocol 50 and udp 500 to/from the remote peer.

    If any of the kame folks are watching, thanks for writing racoon!
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Jonathan M. Bresler: "Re: hardware crypto and SSL?"

    Relevant Pages

    • Re: IPSec VPNs: to gif or not to gif
      ... JH> whether the gif interface was necessary to set up VPNs like ... JH> to set up a lan-to-lan VPN without using it. ... because i can not see packets that pass through gif interface. ... JH> Is the Handbook the current received wisdom on how to set this ...
      (FreeBSD-Security)
    • IPSec VPNs: to gif or not to gif
      ... I will shortly be replacing a couple of proprietary VPN boxes ... whether the gif interface was necessary to set up VPNs like ... Is the Handbook the current received wisdom on how to set this ... that a new interface esp0 be created so that ipfw could work ...
      (FreeBSD-Security)
    • Re: How are interfaces initialized?
      ... > prior to the script running, the rule that would allow traffic to pass ... > and traffic on the device would be allowed when the vpn activated it. ... VPNs use the gif interface, not the tun interface...And there are ...
      (comp.unix.bsd.freebsd.misc)
    • Re: IPSec VPNs: to gif or not to gif
      ... On Wed, 22 Oct 2003, Jim Hatfield wrote: ... > whether the gif interface was necessary to set up VPNs like ... I use VPN with gif device. ... Create and set tunnel. ...
      (FreeBSD-Security)
    • Re: IPSec VPNs: to gif or not to gif
      ... Jim Hatfield wrote: ... >with a FreeBSD solution. ... Section 10.10 of the Handbook has a ... >whether the gif interface was necessary to set up VPNs like ...
      (FreeBSD-Security)