Re: IPSec VPNs: to gif or not to gif
From: John (strgout_at_unixjunkie.com)
Date: Wed, 22 Oct 2003 15:53:52 -0500 To: firstname.lastname@example.org
On Wed, Oct 22, 2003 at 12:28:45PM +0100, Jim Hatfield wrote:
> I will shortly be replacing a couple of proprietary VPN boxes
> with a FreeBSD solution. Section 10.10 of the Handbook has a
> detailed description of how to do this.
> However I remember a lot of discussion about a year ago about
> whether the gif interface was necessary to set up VPNs like
> this or whether it was just a convenience, for "getting the
> routing right". A number of people said that gif was not
> needed but I've never found a step-by-step description of how
> to set up a lan-to-lan VPN without using it.
> Is the Handbook the current received wisdom on how to set this
> up, and is the use of the gif interface indeed necessary?
> I also remember that the discussions diverted into a problem
> with ipfw when gif was *not* used, but I haven't found any
> messages to indicate that it was resolved. I recall suggestions
> that a new interface esp0 be created so that ipfw could work
> correctly on both the innner and outer packets of an ESP tunnel.
> Was that issue ever resolved?
> jim hatfield
> email@example.com mailing list
> To unsubscribe, send any mail to "firstname.lastname@example.org"
I think one reason someone might want to use gif interfaces is becuase
trasport mode ipsec doesn't require the peer address, if you then
do a gif tunnel over the transport ipsec you have dynamic vpn based
on a 509 cert or some crazy jazz like that.
I however just do tunnel mode ipsec with no gif tunnel and packet filter
to only allow protocol 50 and udp 500 to/from the remote peer.
If any of the kame folks are watching, thanks for writing racoon!
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"