From owner-freebsd-net@FreeBSD.ORG Thu Jun 14 15:57:57 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D685106566B for ; Thu, 14 Jun 2012 15:57:57 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [212.27.42.5]) by mx1.freebsd.org (Postfix) with ESMTP id 1A2378FC12 for ; Thu, 14 Jun 2012 15:57:55 +0000 (UTC) Received: from endor.tataz.chchile.org (unknown [82.233.239.98]) by smtp5-g21.free.fr (Postfix) with ESMTP id CC10BD48129; Thu, 14 Jun 2012 17:57:49 +0200 (CEST) Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9]) by endor.tataz.chchile.org (Postfix) with ESMTP id A2F9BCA1; Thu, 14 Jun 2012 17:57:48 +0200 (CEST) Received: by felucia.tataz.chchile.org (Postfix, from userid 1000) id 6E3C2E8F0; Thu, 14 Jun 2012 15:57:48 +0000 (UTC) Date: Thu, 14 Jun 2012 17:57:48 +0200 From: Jeremie Le Hen To: "Eugene M. Zheganin" Message-ID: <20120614155748.GC40355@felucia.tataz.chchile.org> Mail-Followup-To: "Eugene M. Zheganin" , freebsd-net@freebsd.org References: <4FD236D4.6090409@norma.perm.ru> <20120609170721.GA40355@felucia.tataz.chchile.org> <4FD98EC1.50200@norma.perm.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4FD98EC1.50200@norma.perm.ru> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org Subject: Re: if_ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2012 15:57:57 -0000 Eugene On Thu, Jun 14, 2012 at 01:12:01PM +0600, Eugene M. Zheganin wrote: > Hi, > > On 09.06.2012 23:07, Jeremie Le Hen wrote: > > What it usually done for convenience is to create a gif(4) or gre(4) > > tunnel to another network, which is then encrypted using IPSec > > transport mode. The inner IP/GRE header is considered as the payload > > and it is encrypted. The benefit of this approach is that you "see" > > your tunnel, it looks more natural from a system point of view. I > > haven't used IPSec in tunnel mode for more than a decades, so I don't > > remember how it is manageable. But with the IPSec transport mode + > > gif/gre tunnel, you see a full-fledged interface toward the other > > network, through which you can route your traffic. > Yeah, but nowadays this is sort of a legacy thing. > Modern router OSes, like IOS or JunOS operate the ipsec interfaces, and > these interfaces are visible in the system and are fully operation in > the context of the dynamic routing, and I mean here sending/receiving > packets from/to these interfaces. I just wanted FreeBSD to have such a > capability. > > Thank you for an explanation though. Seems like you read only the first > few lines of my post. I am fully capable... whatever. Seems like I've > already said this in my initial message. Not at all, I read the whole mail thoroughly actually :-). But I don't work on Cisco/Junipers equipements so I didn't exactly grasp what you meant. By explaining what I know about IPSec on FreeBSD, I didn't mean to let you think you aren't capable -- and I'm sorry if you take it that way -- it was just to engage you to explain things with regards to what I know. Now I understand that what you are actually proposing is basically to make IPSec in tunnel mode create a virtual interface. I don't know why it has never been done so far. -- Jeremie Le Hen Men are born free and equal. Later on, they're on their own. Jean Yanne