Date: Tue, 22 Aug 2006 09:06:43 +1200 From: Andrew Thompson <thompsa@freebsd.org> To: Jeremie Le Hen <jeremie@le-hen.org> Cc: remko@freebsd.org, Andrew Pantyukhin <infofarmer@FreeBSD.org>, net@freebsd.org Subject: Re: [fbsd] Re: Routing IPSEC packets? Message-ID: <20060821210643.GE90346@heff.fud.org.nz> In-Reply-To: <20060821162830.GA58048@obiwan.tataz.chchile.org> References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> <cb5206420608181236h34c0b85fwffc93bdd6c6979f4@mail.gmail.com> <44E619F7.7030300@isi.edu> <cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com> <20060821162830.GA58048@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 21, 2006 at 06:28:30PM +0200, Jeremie Le Hen wrote: > Hi Andrew, > > On Fri, Aug 18, 2006 at 11:58:08PM +0400, Andrew Pantyukhin wrote: > > I'm actually trying to marry FreeBSD to PIX. The latter only > > supports IPSec (tunnel/transport). I'm still struggling with > > firewalls on both sides, but tunnel-tunnel works right now. > > I'm a bit puzzled because the howto I see > > (http://www.bshell.com/projects/freebsd_pix/) uses gif(4) > > with tunnel-mode IPSec. Either something is wrong with > > the way things work or the author doesn't understand what > > he's doing (or both). The bitter thing is that we have a > > similar setup in our handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html > > As is has indeed already been stated in this thread, IPSec tunnel mode > shunts the routing table. However the new enc(4) interface that Andrew > Thompson has imported from OpenBSD allows to filter IPSec traffic in a > more natural way. Maybe it also brings the ability to route IPSec > tunnels, or even bridge them with if_bridge(4). I Cc'ed him for clarification. At the moment enc(4) isnt really a real interface and while ipsec traffic seems to pass through it, it actually doesnt. The ipsec code just calls the enc code which does pfil/bpf with a preallocated enc0. Im sure this could be extended to allow routing and other tricks. Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060821210643.GE90346>