dn42/wiki
1
Fork 0
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-12-18 05:25:53 +01:00
Code Releases Activity
e7301b7dc6
wiki/gre-plus-ipsec.md
gollum e7301b7dc6 Updated gre-plus-ipsec (markdown)
2013-01-02 21:49:44 +01:00

896 B
Raw Blame History

GRE+IPsec

Why GRE?

  • GRE provides universal encapsulation on top of IP.
  • It has a smaller header than UDP.
  • GRE tunnels are processed in-kernel on *nix systems.
  • It's supported by hardware routers.

Why IPsec?

  • GRE provides no encryption and authentication of it's own.
  • IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.

Problems with GRE

  • GRE is defined directly on top of IP.
  • Broken NAPT implementations will stop GRE tunnels.

Problems with IPsec

  • ESP is defined directly on top of IP.
  • NAT support was added as an aftertought to IPsec.
  • IKEv1 is too complex.
  • Racoon has useless error messages.

Requirements for sane operation

How to configure a GRE tunnel on FreeBSD

How to configure IPsec on FreeBSD