From owner-freebsd-net@FreeBSD.ORG Thu Jun 14 07:34:05 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAA6A106566B for ; Thu, 14 Jun 2012 07:34:05 +0000 (UTC) (envelope-from emz@norma.perm.ru) Received: from elf.hq.norma.perm.ru (mail.norma.perm.ru [128.127.144.4]) by mx1.freebsd.org (Postfix) with ESMTP id 879DB8FC08 for ; Thu, 14 Jun 2012 07:34:05 +0000 (UTC) Received: from bsdrookie.norma.com. ([IPv6:fd00::7fc]) by elf.hq.norma.perm.ru (8.14.5/8.14.5) with ESMTP id q5E7C1eC065779 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 14 Jun 2012 13:12:01 +0600 (YEKT) (envelope-from emz@norma.perm.ru) Message-ID: <4FD98EC1.50200@norma.perm.ru> Date: Thu, 14 Jun 2012 13:12:01 +0600 From: "Eugene M. Zheganin" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20111001 Thunderbird/7.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4FD236D4.6090409@norma.perm.ru> <20120609170721.GA40355@felucia.tataz.chchile.org> In-Reply-To: <20120609170721.GA40355@felucia.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (elf.hq.norma.perm.ru [IPv6:fd00::30a]); Thu, 14 Jun 2012 13:12:01 +0600 (YEKT) X-Spam-Status: No hits=-97.8 bayes=0.5 testhits RDNS_NONE=1.274, SPF_SOFTFAIL=0.972,USER_IN_WHITELIST=-100 autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on elf.hq.norma.perm.ru Subject: Re: if_ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 07:34:05 -0000 Hi, On 09.06.2012 23:07, Jeremie Le Hen wrote: > What it usually done for convenience is to create a gif(4) or gre(4) > tunnel to another network, which is then encrypted using IPSec > transport mode. The inner IP/GRE header is considered as the payload > and it is encrypted. The benefit of this approach is that you "see" > your tunnel, it looks more natural from a system point of view. I > haven't used IPSec in tunnel mode for more than a decades, so I don't > remember how it is manageable. But with the IPSec transport mode + > gif/gre tunnel, you see a full-fledged interface toward the other > network, through which you can route your traffic. Yeah, but nowadays this is sort of a legacy thing. Modern router OSes, like IOS or JunOS operate the ipsec interfaces, and these interfaces are visible in the system and are fully operation in the context of the dynamic routing, and I mean here sending/receiving packets from/to these interfaces. I just wanted FreeBSD to have such a capability. Thank you for an explanation though. Seems like you read only the first few lines of my post. I am fully capable... whatever. Seems like I've already said this in my initial message. Eugene.