IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl router) - Jeremie Le Hen - org.freebsd.freebsd-security

13 messages in org.freebsd.freebsd-securityIPSec tunnel interfaces (was: freebsd...

From	Sent On	Attachments
Robert Johannes	Mar 7, 2007 4:30 pm
VANHULLEBUS Yvan	Mar 7, 2007 5:28 pm
Robert Johannes	Mar 7, 2007 6:04 pm
VANHULLEBUS Yvan	Mar 7, 2007 9:24 pm
Tom Judge	Mar 7, 2007 9:55 pm
Robert Johannes	Mar 7, 2007 11:14 pm
Robert Johannes	Mar 7, 2007 11:22 pm
Thomas Wahyudi	Mar 8, 2007 1:58 am
Tom Judge	Mar 8, 2007 7:57 am
Jeremie Le Hen	Mar 10, 2007 7:40 pm
Robert Johannes	Mar 14, 2007 7:06 pm
Tom Judge	Mar 15, 2007 2:28 am
Robert Johannes	Mar 27, 2007 4:31 am

Subject:	IPSec tunnel interfaces (was: freebsd vpn server behind nat dsl router)
From:	Jeremie Le Hen (jere...@le-hen.org)
Date:	Mar 10, 2007 7:40:57 pm
List:	org.freebsd.freebsd-security

Hi Yvan,

On Wed, Mar 07, 2007 at 06:06:17PM +0100, VANHULLEBUS Yvan wrote:

- FreeBSD handbook talks about Gif interfaces for IPSec tunnels. Just forget that part and use directly IPSec tunnels without Gif interfaces.

While I understand why using gif(4) to create IPSec tunnels is not recommended because of interoperability, administratively it is pretty useful to see the tunnel as an interface. Everything that comes along such as routes, firewall rules et al work very naturally. I'm no IPSec expert as you probably are and I seem to recall the RFC advises (requires ?) it to be implemented as a bump in a stack. However, is it reasonable to expect to see this in the future ?

It seems the enc(4) interface provides this feature somehow but only for FAST_IPSEC. What is the doom of IPSEC ? Are they to be merged in the future, or is it possible to make the enc(4) work with IPSEC as well ?

Thank you. Regards,

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets