From owner-freebsd-stable Fri Nov 22 6:53:43 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAD9837B404 for ; Fri, 22 Nov 2002 06:53:41 -0800 (PST) Received: from rerun.avayactc.com (rerun.avayactc.com [199.93.237.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E50843E3B for ; Fri, 22 Nov 2002 06:53:35 -0800 (PST) (envelope-from mcambria@avaya.com) Received: by rerun.avayactc.com with Internet Mail Service (5.5.2653.19) id ; Fri, 22 Nov 2002 09:53:19 -0500 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7E4EF56@rerun.avayactc.com> From: "Cambria, Mike" To: 'Helge Oldach' , archie@dellroad.org, "'larse@isi.edu'" Cc: guido@gvr.org, dkelly@hiwaay.net, hausen@punkt.de, archie@dellroad.org, sullrich@CRE8.COM, greg.panula@dolaninformation.com, FreeBSD-stable@FreeBSD.ORG Subject: RE: IPsec/gif VPN tunnel packets on wrong NIC in ipfw? SOLUTION A ND QUESTIONS Date: Fri, 22 Nov 2002 09:53:18 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: Helge Oldach [mailto:freebsd-stable-21nov02@oldach.net] [deleted] > Seems to me that we need some trickery routing using shadow routes to > make this work, similar to using gif interfaces with ESP tunnel mode. > This would add another point of confusion and violate POLA. > Seems to me > that an esp0 interface is really only useful for ESP tunnel > mode. In that > case it should be a point-to-point interface similar to gif. > > Perhaps worth mentioning: ESP transport mode over a gif tunnel is > *not* the same as ESP tunnel mode. Having a FreeBSD box with transport > mode/gif work against a non-FreeBSD machine in ESP tunnel > mode will not > work. If you are referring to IPIP tunnels (e.g. gif) then applying IPsec transport mode to the outer IP, then see http://www.isi.edu/larse/papers/draft-touch-ipsec-vpn-04.txt or the IETF ID site on how this works. Most of their work has been on FreeBSD, using IPIP tunnels (i.e. gif) , then applying IPsec transport mode. The draft explains how this can interoperate with IPsec tunnel mode at the other end (the point of the draft) and is in fact, indistinguishable. Now, if you are referring to using gif+and IPsec _tunnel_ mode .... why would one want to even do this? MikeC MikeC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message