IPSec VPNs: to gif or not to gif

[Jim Hatfield]

I will shortly be replacing a couple of proprietary VPN boxes
with a FreeBSD solution. Section 10.10 of the Handbook has a 
detailed description of how to do this.

However I remember a lot of discussion about a year ago about
whether the gif interface was necessary to set up VPNs like
this or whether it was just a convenience, for "getting the
routing right". A number of people said that gif was not 
needed but I've never found a step-by-step description of how
to set up a lan-to-lan VPN without using it.

Is the Handbook the current received wisdom on how to set this
up, and is the use of the gif interface indeed necessary?

I also remember that the discussions diverted into a problem
with ipfw when gif was *not* used, but I haven't found any
messages to indicate that it was resolved. I recall suggestions
that a new interface esp0 be created so that ipfw could work
correctly on both the innner and outer packets of an ESP tunnel.

Was that issue ever resolved?

jim hatfield