VANHULLEBUS Yvan <[EMAIL PROTECTED]> writes: > And the main problem of using gif interfaces seems to be a gif + IPSec > + filtering + forwarding problem for (at least) big TCP sessions (see > the thread on freebsd-net).
Just checked, maybe it's a regression, this kind of setup works on a prototype I've set up for a customer (early 5.x release) and in production (ipsec transport/gif/ipf on 4.8 and 4.10 boxes). > I'll try to do some tests with gif interfaces to see the advantages > and drawbacks, but this "bug" described in the gif(4) man page seems > to be a big drawback for me (I'm quite always using Tunnel mode for > net-2-net IPSec tunnels): > > "The gif device may not interoperate with peers which are based on > different specifications, and are picky about outer header fields. > For example, you cannot usually use gif to talk with IPsec devices > that use IPsec tunnel mode." Not really a bug per se, different encap specs, nothing more. It should interoperate with a similar setup like *BSD gifs on ipsec transport or linux ipip on ipsec transport mode. I've tried with gre instead of gif tunnels in the early 5.x release days and it failed, maybe I should give it a try one of these days (too much daily job atm...) Éric -- L'attitude qui consiste a rappeler a un contributeur que sa poste est contraire a la charte du NG, me parait pedante, anale et probablement aussi "hors-sujet". Ce qui m'enerve plus qu' une poste sur le TeX... -+- Dr NV in GNU : Les a(nale)ventures de Docteur Juste Tex. -+- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
