e7301b7dc6349f5aca724498a1d4fd7ac321d7fb
gre-plus-ipsec.md
... | ... | @@ -1,13 +1,27 @@ |
1 | -# Why GRE? |
|
1 | +# GRE+IPsec |
|
2 | 2 | |
3 | -# Why IPsec? |
|
3 | +## Why GRE? |
|
4 | +* [GRE](https://en.wikipedia.org/wiki/GRE) provides universal encapsulation on top of IP. |
|
5 | +* It has a smaller header than UDP. |
|
6 | +* GRE tunnels are processed in-kernel on *nix systems. |
|
7 | +* It's supported by hardware routers. |
|
4 | 8 | |
5 | -# Problems with GRE |
|
9 | +## Why IPsec? |
|
10 | +* GRE provides no encryption and authentication of it's own. |
|
11 | +* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces. |
|
6 | 12 | |
7 | -# Problems with IPsec |
|
13 | +## Problems with GRE |
|
14 | +* GRE is defined directly on top of IP. |
|
15 | +* Broken NAPT implementations will stop GRE tunnels. |
|
8 | 16 | |
9 | -# Requirements for sane operation |
|
17 | +## Problems with IPsec |
|
18 | +* ESP is defined directly on top of IP. |
|
19 | +* NAT support was added as an aftertought to IPsec. |
|
20 | +* IKEv1 is too complex. |
|
21 | +* Racoon has useless error messages. |
|
10 | 22 | |
11 | -# How to configure a GRE tunnel on FreeBSD |
|
23 | +## Requirements for sane operation |
|
12 | 24 | |
13 | -# How to configure IPsec on FreeBSD |
|
... | ... | \ No newline at end of file |
0 | +## How to configure a GRE tunnel on FreeBSD |
|
1 | + |
|
2 | +## How to configure IPsec on FreeBSD |
|
... | ... | \ No newline at end of file |