Date: Sat, 29 Oct 2005 13:01:05 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Eric Masson <e-masson@kisoft-services.com> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? Message-ID: <20051029110105.GA38361@obiwan.tataz.chchile.org> In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> References: <20051025095745.GA2581@zeninc.net> <d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Eric, Yvan, > The enc(4) interface doesn't exist in FreeBSD. > > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) I also use gif(4) for now at a workaround. I would like to be more precise for the records though. AFAIK, OpenBSD's enc(4) interface sees traffic from an IPSec session, whether in transport or tunnel mode. When tunnel mode is used, you should see IP encapsulated traffic and thus use the "ipencap" keyword in pf (as stated in OpenBSD's vpn(8) manual page). FreeBSD doesn't have the enc(4) interface. It will not be able to see traffic neither in transport or tunnel mode and as Eric stated, the kernel does have to check SPD policy in addition to the routing table. To work around this, you can use gif(4) which will basically do IP-over-IP encapsulation and then use IPSec transport mode to encrypt the traffic whose upper protocol is IPv4 : % ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 % spdadd 1.2.3.4 5.6.7.8 ip4 -P in ipsec esp/transport//require; % spdadd 5.6.7.8 1.2.3.4 ip4 -P out ipsec esp/transport//require; Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051029110105.GA38361>