if_ipsec

[Jeremie Le Hen]

Eugene

On Thu, Jun 14, 2012 at 01:12:01PM +0600, Eugene M. Zheganin wrote:
> Hi,
> 
> On 09.06.2012 23:07, Jeremie Le Hen wrote:
> > What it usually done for convenience is to create a gif(4) or gre(4) 
> > tunnel to another network, which is then encrypted using IPSec 
> > transport mode. The inner IP/GRE header is considered as the payload 
> > and it is encrypted. The benefit of this approach is that you "see" 
> > your tunnel, it looks more natural from a system point of view. I 
> > haven't used IPSec in tunnel mode for more than a decades, so I don't 
> > remember how it is manageable. But with the IPSec transport mode + 
> > gif/gre tunnel, you see a full-fledged interface toward the other 
> > network, through which you can route your traffic. 
> Yeah, but nowadays this is sort of a legacy thing.
> Modern router OSes, like IOS or JunOS operate the ipsec interfaces,  and 
> these interfaces are visible in the system and are fully operation in 
> the context of the dynamic routing, and I mean here sending/receiving 
> packets from/to these interfaces. I just wanted FreeBSD to have such a 
> capability.
> 
> Thank you for an explanation though. Seems like you read only the first 
> few lines of my post. I am fully capable... whatever. Seems like I've 
> already said this in my initial message.

Not at all, I read the whole mail thoroughly actually :-).  But I don't
work on Cisco/Junipers equipements so I didn't exactly grasp what you
meant.

By explaining what I know about IPSec on FreeBSD, I didn't mean to let
you think you aren't capable -- and I'm sorry if you take it that way --
it was just to engage you to explain things with regards to what I
know.

Now I understand that what you are actually proposing is basically to
make IPSec in tunnel mode create a virtual interface.  I don't know why
it has never been done so far.

-- 
Jeremie Le Hen

Men are born free and equal.  Later on, they're on their own.
				Jean Yanne