Date: Thu, 12 Jan 2012 00:59:27 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Alex Dupre <ale@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> In-Reply-To: <4F0DD127.4040205@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
On 11. Jan 2012, at 18:12 , Alex Dupre wrote: > Hi All, > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint VPN-1. I've used a gif interface for the tunnel, setkey for security policies and racoon for ikev1. All is working fine, but I get a strange behavior: outgoing packets go via enc0, while incoming packets arrive in gif0. To be precise, setting to '3' all the net.enc.* sysctls and sending a ping via vpn, I see the echo request, the encapsulated echo request, the encapsulated echo reply on enc0 and the echo reply on gif0. Is it correct? I expected to see all 4 packets on enc0, and perhaps the 2 clear packets also on gif0. The current behavior makes impossibile to use firewall stateful filtering. Need more input. A) why are using gif? B) are you using transport mode? > I have also another question (about NAT before IPSEC), but it's partially related to this first issue, so I'll wait for a clarification before exposing it. NAT before IPSEC can be done with ipfw, not with pf, don't know about ipfilter. -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5>