From owner-freebsd-net@FreeBSD.ORG  Fri Aug 18 16:58:27 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2182C16A4DD;
	Fri, 18 Aug 2006 16:58:27 +0000 (UTC)
	(envelope-from yushunwa@ISI.EDU)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D4DB543D5A;
	Fri, 18 Aug 2006 16:58:26 +0000 (GMT)
	(envelope-from yushunwa@ISI.EDU)
Received: from [128.9.168.94] (max.isi.edu [128.9.168.94])
	by boreas.isi.edu (8.11.6p2+0917/8.11.2) with ESMTP id k7IGw4Y00278;
	Fri, 18 Aug 2006 09:58:04 -0700 (PDT)
Message-ID: <44E5F19E.9070600@isi.edu>
Date: Fri, 18 Aug 2006 09:58:06 -0700
From: Yu-Shun Wang <yushunwa@ISI.EDU>
User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719)
MIME-Version: 1.0
To: remko@FreeBSD.org, net@FreeBSD.org
References: <44E58E9E.1030401@FreeBSD.org>
In-Reply-To: <44E58E9E.1030401@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: yushunwa@isi.edu
Cc: 
Subject: Re: Routing IPSEC packets?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2006 16:58:27 -0000

Remko Lodder wrote:
> Hi friends,
> 
> I was looking around for using IPsec services instead of
> OpenVPN services, but I found out that with our current
> implementation of IPsec, we cannot actually route packets
> through the various IPsec hops [1].  OpenBSD adds IPsec
> flows in their routing table, making it possible to route
> traffic between IPsec tunnels.
> 
> Can someone either confirm my above statement that FreeBSD
> is indeed not capable of doing this?

It's not an implementation issue, but a design problem with
IPsec tunnel mode. See RFC3884:

<http://www.ietf.org/rfc/rfc3884.txt>

The proposed solution is to use IP-IP tunnel (gif iface in
FreeBSD, which you can route) then apply IPsec transport mode
on the outer header. Refer to the rfc for more detail.

The policy will be different, but we've verified long ago
with FreeBSD that it works. The packets on the wire is
compatible with regular tunnel mode IPsec.

yushun

> In the case that does not exist yet, are there others that
> also like this feature? And is there someone who can do
> the coding in that case? (I am not skilled enough to do
> this).
> 
> I hope to get some good feedbacks :-)
> 
> Please keep me CC'ed since I am not subscribed to the
> list.
> 
> Thanks a lot!
> Cheers,
> Remko
>