On Thu, Jul 28 2016 at 24:09, Kim Zeitler wrote: > Hello Hello, > having run a 'pure' ipsec tunnel for some years now I was wondering if there > are more advantages in using a tunnel like gre(4),gif(4) or ehterip(4) over > ipsec except being able to set the mtu or pass Layer2 traffic?
If you don't see the advantages, chances that you dont *need* it. Adding another encapsulation layer is seen as a bad move if you don't need it (more fragmentation or more reduced mtu). I have done setups with gif for L2 connectivity over internet (also a bad idea but sometimes you dont have choices) and for handling easy ipsec redundancy. Let me explain the last statement. I've build 2 tunnels from each remote to main site, added gif encapsulation over ipsec. That mean I have 2 paths for the same destiantion. In order to choose path automatically in a symetric way, I used OSPF over gif to determine the best path. In this setup, gif/gre encapsulation is mandatory because OSPF uses multicast to discover peers and native IPSEC dont support it. OSPF also gave me route redistribution for free. If you have only 2 sites, you can use other ways to check link connectivity rather than OSPF. You can use GRE keepalives (careful, it is not supported on Linux), ifstated to check and take actions in case of link failure or just routes with different weights. OpenBSD gives you tools, you have the responsability to understand them and find the best one for your usecase. > > Thanks for your answer > > Kim Best regards, Claer