IPsec tunnel mode with gif

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IPsec tunnel mode with gif

Kajetan Staszkiewicz-2
Hi group,

For many years I have used the trick of running a GRE or GIF tunnel encrypted
with IPSec transport mode, both on FreeBSD and Linux. That allows me to run
BGP or OSPF on the tunnels.

I am also aware of IPsec tunnel mode which kind of works for me, although is
not my personal choice.

Both modes of operation seem quite straightforward.

Yet for a reason beyond my understanding FreeBSD handbook proposes a 3rd mode:
using a GIF tunnel together with IPSec tunnel mode. I really don't understand
how is that supposed to work. People On The Internet also seem not to be able
to understand the reasoning behind such solution. Since IPSec stack provides
its own encapsulation in tunnel mode, packets coming to a router would never
reach the GIF interface and would never be encapsulated by it. Same for
packets received, they would be deencapsulated by IPsec stack and reinjected
with internal IP addresses on a public interface of router or they would
appear on enc0 interface if it is in use.

Am I wrong? Or is the Handbook wrong?

--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: IPsec tunnel mode with gif

Bjoern A. Zeeb
On 20 Jul 2017, at 22:02, Kajetan Staszkiewicz wrote:

> Yet for a reason beyond my understanding FreeBSD handbook proposes a
> 3rd mode:
> using a GIF tunnel together with IPSec tunnel mode. I really don't
> understand
> how is that supposed to work. People On The Internet also seem not to
> be able
..
> Am I wrong? Or is the Handbook wrong?

The handbook is outdated and I think what you are referring to is from
the early days of the IPv6/IPsec stack implementation times probably
during FreeBSD 4.

What you are doing (gre/gif inside transport mode to possibly get a
link-state change as well, or BGP over transport mode directly is both
fine.


I think the short answer:  updates to the handbook would be very
welcome!

/bz
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[hidden email]"