ae53aeaaebadeaf8ab4912c4fe79b3c722173779
gre-plus-ipsec.md
| ... | ... | @@ -1,13 +1,27 @@ |
| 1 | -# Why GRE? |
|
| 1 | +# GRE+IPsec |
|
| 2 | 2 | |
| 3 | -# Why IPsec? |
|
| 3 | +## Why GRE? |
|
| 4 | +* [GRE](https://en.wikipedia.org/wiki/GRE) provides universal encapsulation on top of IP. |
|
| 5 | +* It has a smaller header than UDP. |
|
| 6 | +* GRE tunnels are processed in-kernel on *nix systems. |
|
| 7 | +* It's supported by hardware routers. |
|
| 4 | 8 | |
| 5 | -# Problems with GRE |
|
| 9 | +## Why IPsec? |
|
| 10 | +* GRE provides no encryption and authentication of it's own. |
|
| 11 | +* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces. |
|
| 6 | 12 | |
| 7 | -# Problems with IPsec |
|
| 13 | +## Problems with GRE |
|
| 14 | +* GRE is defined directly on top of IP. |
|
| 15 | +* Broken NAPT implementations will stop GRE tunnels. |
|
| 8 | 16 | |
| 9 | -# Requirements for sane operation |
|
| 17 | +## Problems with IPsec |
|
| 18 | +* ESP is defined directly on top of IP. |
|
| 19 | +* NAT support was added as an aftertought to IPsec. |
|
| 20 | +* IKEv1 is too complex. |
|
| 21 | +* Racoon has useless error messages. |
|
| 10 | 22 | |
| 11 | -# How to configure a GRE tunnel on FreeBSD |
|
| 23 | +## Requirements for sane operation |
|
| 12 | 24 | |
| 13 | -# How to configure IPsec on FreeBSD |
|
| ... | ... | \ No newline at end of file |
| 0 | +## How to configure a GRE tunnel on FreeBSD |
|
| 1 | + |
|
| 2 | +## How to configure IPsec on FreeBSD |
|
| ... | ... | \ No newline at end of file |