Date: Thu, 12 Jan 2012 00:59:27 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Alex Dupre <ale@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> In-Reply-To: <4F0DD127.4040205@FreeBSD.org> References: <4F0DD127.4040205@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11. Jan 2012, at 18:12 , Alex Dupre wrote: > Hi All, > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint VPN-1. I've used a gif interface for the tunnel, setkey for security policies and racoon for ikev1. All is working fine, but I get a strange behavior: outgoing packets go via enc0, while incoming packets arrive in gif0. To be precise, setting to '3' all the net.enc.* sysctls and sending a ping via vpn, I see the echo request, the encapsulated echo request, the encapsulated echo reply on enc0 and the echo reply on gif0. Is it correct? I expected to see all 4 packets on enc0, and perhaps the 2 clear packets also on gif0. The current behavior makes impossibile to use firewall stateful filtering. Need more input. A) why are using gif? B) are you using transport mode? > I have also another question (about NAT before IPSEC), but it's partially related to this first issue, so I'll wait for a clarification before exposing it. NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter. -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5>