Layer 2 Tunneling over IPSec - GIF Interface

  • Hello Community

    At the Moment I try to evaluate a layer 2 tunnel between 2 locations over an Ethernet WAN tunnel. Special for my doing is to bring the whole Layer 2 to the locations with a lot of VLANs. I don´t want to create separate IP Subnets for every VLAN. I want to trunk my complete Layer 2 Ethernet.

    In the beginning I was creating an openVPN. I established a site-to-site tunnel between my 2 locations and bridge the network interfaces “LAN” and “openVPN tap”. Finally I was able to broadcast over the tunnel on both sites. And everything seems to be OK. But I don’t like to use openVPN.

    Now I want to use IPSec as tunnel method. I create a IPSec tunnel in transportmode between the WAN interfaces. Afterwards I create the GIF interfaces with the parent WAN. So I was able to ping between the IPSec tunnel and between the GIF tunnel.

    I bridged the GIF and the LAN interface like openVPN and the layer 2 Ethernet was not established on both sites. I try a tcpdump at the LAN interfaces and I get confused frames / packtes  “ethertype unkown, 0xc0a8, length 80:”


  • Is this just an experiment or is there a reason to not just use openvpn or IPsec vpn?

  • Thanks for your quick replay,

    I don’t want to have the limitation of the bandwidth in the openVPN tap adapter. I need more then 10/100Mbit network. I tested the openVPN tunnel with the Layer 2 bridge, my result was about 90-110Mbit throughput.

    Is there a possibility to get more performance by using IPSec?


  • It depends on what your bottleneck is.  If you are hitting the limit of your bandwidth (data+overhead) probably no.  In that case I doubt IPsec would be better than openvpn.  If its a hardware limit, as in cpu limit, perhaps IPsec can perform better than openvpn depending on the processor and crypto support.

  • OK…

    but what is about my problem by bridging the GIF and the LAN interface. Is there a problem in pfSense? I use 2.2.1

  • No idea.  Never tried it.  I'm not a master bridge builder.  Thats a recent fad I haven't got in to.

  • Rebel Alliance Developer Netgate

    It should work fine. I've seen some people run with that in production, though it is not something I would generally recommend.

    Make sure there isn't any traffic getting blocked in the firewall log, and make sure any trace of the old OpenVPN bridge is gone first.

    Show the full uncensored "ifconfig -a" output from both ends and it may lead to some clues as well.

  • I tested the openVPN tunnel with the Layer 2 bridge, my result was about 90-110Mbit throughput.

    Bridge if you must do and route if you can do.

    Is there a possibility to get more performance by using IPSec?

    The only thing I think on by reading this is the following. Why not using L2TP over IPSec?

    Is there a possibility to get more performance by using IPSec?

    Surly and many on top:

    • using a vpn accelerator card that takes the crypto intensive operations from the CPU
      - Soekris vpn1411 or vpn1401 cards could work
      - Exar DX1700 if supported in pfSense and you are in the USA
      - Intel Xeon E3 or E5 CPU with Quad Core and 3.0 GHz
      - AES-NI supporting CPU such as the Intel Atom C2000 series
      Not sure about this:
      - Comtech AHA AHA363PCIE0301G 5Gbs GZIP Compression/Decompression Accelerator Card
      But for the Comtech card some more experienced user should tell something about

    But at least it this hardware would not be able to speed up the entire WNA line, more then only the
    throughput for sure and another or bigger WAN line is sold by your ISP.

  • Thanks for your replay,

    i will use L2TP over IPSec, if pfSense is able to manage L2TPv3 but pfSense isn´t support L2TPv3 at the moment. I have to trunk a lot of VLAN over the tunnel. Routing is not possible. And I know there could be a lot of L2 broadcast but i have to bridge an L2 Tunnel. Both locations need native L2 and the VLANs.

    For the performance, i look at the pfSense with "top" and the cpu is most idle (openVPN variante).

    Have anyone an idea why there is an unkown frames / packtes at tcpdump by bridging the "GIF" and the "IPSec interface (WAN)"

    thanks again :)

Log in to reply