Re: IPSec VPNs: to gif or not to gif
From: Jim Hatfield (subscriber_at_insignia.com)
Date: 10/23/03
- Previous message: G. Panula: "Re: IPSec VPNs: to gif or not to gif"
- Maybe in reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: Nikolay Petrov: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: freebsd-security@freebsd.org Date: Thu, 23 Oct 2003 15:29:02 +0100
On Wed, 22 Oct 2003 13:34:30 +0100, in local.freebsd.security you
wrote:
>
>I use gif interfaces for my VPN's, and it works extremely well. The
>only other solution I think I would even try, is mpd, but that uses a
>much weaker protocol from what I know (PPTP).
>
>It's so easy to use gif, I'm not sure why you wouldn't.
Looking at the Handbook again, I'm even more confused now!
I had decided that the IPSec processing must be using Transport
mode, since the tunnelling was handled by the gif interface.
But not so. The diagram right at the bottom of that section of
the Handbook clearly shows that the original packet is encapsulated
twice, once by IPSec Tunnel mode and once by the gif interface.
To me, this just feels wrong. The packet only needs to be
encapsulated once, so why do it twice? It's an unnecessary use of
bandwidth and processor time.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: G. Panula: "Re: IPSec VPNs: to gif or not to gif"
- Maybe in reply to: Jim Hatfield: "IPSec VPNs: to gif or not to gif"
- Next in thread: Nikolay Petrov: "Re: IPSec VPNs: to gif or not to gif"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
