Date: Tue, 25 Oct 2005 15:33:06 +0200 From: Eric Masson <e-masson@kisoft-services.com> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? Message-ID: <86slupafhp.fsf@srvbsdnanssv.interne.kisoft-services.com> In-Reply-To: <20051025124301.GA2824@zeninc.net> (VANHULLEBUS Yvan's message of "Tue, 25 Oct 2005 14:43:01 %2B0200") References: <20051025095745.GA2581@zeninc.net> <d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> <20051025124301.GA2824@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> writes: > And the main problem of using gif interfaces seems to be a gif + IPSec > + filtering + forwarding problem for (at least) big TCP sessions (see > the thread on freebsd-net). Just checked, maybe it's a regression, this kind of setup works on a prototype I've set up for a customer (early 5.x release) and in production (ipsec transport/gif/ipf on 4.8 and 4.10 boxes). > I'll try to do some tests with gif interfaces to see the advantages > and drawbacks, but this "bug" described in the gif(4) man page seems > to be a big drawback for me (I'm quite always using Tunnel mode for > net-2-net IPSec tunnels): > > "The gif device may not interoperate with peers which are based on > different specifications, and are picky about outer header fields. > For example, you cannot usually use gif to talk with IPsec devices > that use IPsec tunnel mode." Not really a bug per se, different encap specs, nothing more. It should interoperate with a similar setup like *BSD gifs on ipsec transport or linux ipip on ipsec transport mode. I've tried with gre instead of gif tunnels in the early 5.x release days and it failed, maybe I should give it a try one of these days (too much daily job atm...) Éric -- L'attitude qui consiste a rappeler a un contributeur que sa poste est contraire a la charte du NG, me parait pedante, anale et probablement aussi "hors-sujet". Ce qui m'enerve plus qu' une poste sur le TeX... -+- Dr NV in GNU : Les a(nale)ventures de Docteur Juste Tex. -+-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86slupafhp.fsf>