Date: Thu, 12 Jan 2012 00:59:27 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Alex Dupre <ale@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Filtering on IPSEC Message-ID: <6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5@lists.zabbadoz.net> In-Reply-To: <4F0DD127.4040205@FreeBSD.org> References: <4F0DD127.4040205@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11. Jan 2012, at 18:12 , Alex Dupre wrote: > Hi All, > I've setup my first IPSEC VPN beetween FreeBSD 8.2 and CheckPoint = VPN-1. I've used a gif interface for the tunnel, setkey for security = policies and racoon for ikev1. All is working fine, but I get a strange = behavior: outgoing packets go via enc0, while incoming packets arrive in = gif0. To be precise, setting to '3' all the net.enc.* sysctls and = sending a ping via vpn, I see the echo request, the encapsulated echo = request, the encapsulated echo reply on enc0 and the echo reply on gif0. = Is it correct? I expected to see all 4 packets on enc0, and perhaps the = 2 clear packets also on gif0. The current behavior makes impossibile to = use firewall stateful filtering. Need more input. A) why are using gif? B) are you using transport = mode? > I have also another question (about NAT before IPSEC), but it's = partially related to this first issue, so I'll wait for a clarification = before exposing it. NAT before IPSEC can be done with ipfw, not with pf, don't know about = ipfilter. --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6B1A8EF0-C5BA-4EF3-B886-8F7C490564E5>