Date: Tue, 25 Oct 2005 14:43:01 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? Message-ID: <20051025124301.GA2824@zeninc.net> In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> References: <20051025095745.GA2581@zeninc.net> <d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 25, 2005 at 02:23:49PM +0200, Eric Masson wrote: > VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> writes: > > Hi Yvan, Hi Eric :-) > > That's the problem: enc0 doesn't seems to exists, at least on my > > FreeBSD6 gate (perhaps I missed something in the configuration, or > > perhaps this is not a "real" interface ?) !!! > > The enc(4) interface doesn't exist in FreeBSD. Yep, unfortunately... > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) And the main problem of using gif interfaces seems to be a gif + IPSec + filtering + forwarding problem for (at least) big TCP sessions (see the thread on freebsd-net). I'll try to do some tests with gif interfaces to see the advantages and drawbacks, but this "bug" described in the gif(4) man page seems to be a big drawback for me (I'm quite always using Tunnel mode for net-2-net IPSec tunnels): "The gif device may not interoperate with peers which are based on different specifications, and are picky about outer header fields. For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode." Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051025124301.GA2824>