IPSec VPNs: to gif or not to gif
Jim Hatfield
subscriber at insignia.com
Thu Oct 23 07:29:05 PDT 2003
On Wed, 22 Oct 2003 13:34:30 +0100, in local.freebsd.security you
wrote:
>
>I use gif interfaces for my VPN's, and it works extremely well. The
>only other solution I think I would even try, is mpd, but that uses a
>much weaker protocol from what I know (PPTP).
>
>It's so easy to use gif, I'm not sure why you wouldn't.
Looking at the Handbook again, I'm even more confused now!
I had decided that the IPSec processing must be using Transport
mode, since the tunnelling was handled by the gif interface.
But not so. The diagram right at the bottom of that section of
the Handbook clearly shows that the original packet is encapsulated
twice, once by IPSec Tunnel mode and once by the gif interface.
To me, this just feels wrong. The packet only needs to be
encapsulated once, so why do it twice? It's an unnecessary use of
bandwidth and processor time.
More information about the freebsd-security
mailing list