Date: Sun, 18 Aug 2002 12:26:42 +0200 From: Alex Kiesel <alex.kiesel@document-root.de> To: Borja Marcos <borjamar@sarenet.es> Subject: Re: esp tunnel without gif(4) [Was Re: vpn1/fw1 NG toipsec/racoontroubles, help please ...] Message-ID: <20020818102642.GA23114@schlund.de> In-Reply-To: <200208041224.10309.borjamar@sarenet.es> References: <sd4ab7c6.030@aus-gwia.aus.dcnhs.org> <200208041224.10309.borjamar@sarenet.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 04, 2002, Borja Marcos wrote: > On Friday 02 August 2002 23:47, Matthew Grooms wrote: > > Its only backwards if you are used to implimenting IPSEC communications > > in a non-giff'd confguration. As mentioned before, this is endorsed by > > many how-to's available. If you don't like this method, don't use it. I > > for one prefer the giffed alternative but will be more than happy to > > admit that the benifits appear to be mostly cosmetic. > > I am not using gif right now, but I see two important advantages. > > I suppose it will be possible to put firewall rules in a gif interface. > Imagine that you establish a tunnel with a not so trusted party, only for a > limited purpose. As I understand http://asherah.dyndns.org/~josh/ipsec-howto.txt, Topic 4: "The major change that is done is the use of the gif(4) device to get the routing correct. Note that traffic is *not* transported through the gif(4) tunnel! Instead the IPsec code in the kernel grabs the packets according to the specified policy and wraps them with the correct IP addresses for the IPsec tunnel. Effectively the packets receive new IP addresses which don't resemble a path through the gif tunnel." ... packets won't go through the gif-interface, so you cannot create firewall-rules based on the gif-interface (ok, you can - they won't get executed). Alex -- Alex Kiesel PGP Key: 0x09F4FA11 Schlund+Partner Entwicklung Unix The problem with troubleshooting is that trouble shoots back! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020818102642.GA23114>