From owner-freebsd-pf@FreeBSD.ORG  Tue Oct 25 13:32:57 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2149A16A41F
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 13:32:57 +0000 (GMT)
	(envelope-from e-masson@kisoft-services.com)
Received: from mallaury.nerim.net (smtp-102-tuesday.noc.nerim.net
	[62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91E2243D45
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 13:32:56 +0000 (GMT)
	(envelope-from e-masson@kisoft-services.com)
Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net
	[62.212.107.51])
	by mallaury.nerim.net (Postfix) with ESMTP id 30F534F3CA;
	Tue, 25 Oct 2005 15:32:44 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id
	CDBA1D3F6; Tue, 25 Oct 2005 15:33:07 +0200 (CEST)
Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1])
	by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1])
	(amavisd-new, port 10024)
	with ESMTP id 55291-01; Tue, 25 Oct 2005 15:33:06 +0200 (CEST)
Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix,
	from userid 1001)
	id B6077D3E5; Tue, 25 Oct 2005 15:33:06 +0200 (CEST)
To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
From: Eric Masson <e-masson@kisoft-services.com>
In-Reply-To: <20051025124301.GA2824@zeninc.net> (VANHULLEBUS Yvan's message
	of "Tue, 25 Oct 2005 14:43:01 +0200")
References: <20051025095745.GA2581@zeninc.net>
	<d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com>
	<20051025120539.GA2761@zeninc.net>
	<861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com>
	<20051025124301.GA2824@zeninc.net>
X-Operating-System: FreeBSD 5.4-RELEASE-p2 i386
Date: Tue, 25 Oct 2005 15:33:06 +0200
Message-ID: <86slupafhp.fsf@srvbsdnanssv.interne.kisoft-services.com>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Jumbo Shrimp,
	berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: amavisd-new at interne.kisoft-services.com
Cc: freebsd-pf@freebsd.org
Subject: Re: Filtering IPSec traffic ?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2005 13:32:57 -0000

VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> writes:

> And the main problem of using gif interfaces seems to be a gif + IPSec
> + filtering + forwarding problem for (at least) big TCP sessions (see
> the thread on freebsd-net).

Just checked, maybe it's a regression, this kind of setup works on a
prototype I've set up for a customer (early 5.x release) and in
production (ipsec transport/gif/ipf on 4.8 and 4.10 boxes).

> I'll try to do some tests with gif interfaces to see the advantages
> and drawbacks, but this "bug" described in the gif(4) man page seems
> to be a big drawback for me (I'm quite always using Tunnel mode for
> net-2-net IPSec tunnels):
>
> "The gif device may not interoperate with peers which are based on
> different specifications, and are picky about outer header fields.
> For example, you cannot usually use gif to talk with IPsec devices
> that use IPsec tunnel mode."

Not really a bug per se, different encap specs, nothing more.

It should interoperate with a similar setup like *BSD gifs on ipsec
transport or linux ipip on ipsec transport mode.

I've tried with gre instead of gif tunnels in the early 5.x release days
and it failed, maybe I should give it a try one of these days (too much
daily job atm...)

Éric

-- 
 L'attitude qui consiste a rappeler a un contributeur que sa poste est
 contraire a la charte du NG, me parait pedante, anale et probablement
 aussi "hors-sujet". Ce qui m'enerve plus qu' une poste sur le TeX...
 -+- Dr NV in GNU : Les a(nale)ventures de Docteur Juste Tex. -+-