From owner-freebsd-pf@FreeBSD.ORG Sat Oct 29 11:01:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBCE616A41F for ; Sat, 29 Oct 2005 11:01:32 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6812943D46 for ; Sat, 29 Oct 2005 11:01:32 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp6-g19.free.fr (Postfix) with ESMTP id 13E349657; Sat, 29 Oct 2005 13:01:31 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 1F29D405A; Sat, 29 Oct 2005 13:01:06 +0200 (CEST) Date: Sat, 29 Oct 2005 13:01:05 +0200 From: Jeremie Le Hen To: Eric Masson Message-ID: <20051029110105.GA38361@obiwan.tataz.chchile.org> References: <20051025095745.GA2581@zeninc.net> <20051025120539.GA2761@zeninc.net> <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <861x29bx9m.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2005 11:01:32 -0000 Hi, Eric, Yvan, > The enc(4) interface doesn't exist in FreeBSD. > > Atm, I use gif tunnels and transport mode beetween gateways, so I'm able > to filter on gifs. The other main advantage in my case is that routing > is explicit (no SPD inspection to check how packets are treated by the > stack) I also use gif(4) for now at a workaround. I would like to be more precise for the records though. AFAIK, OpenBSD's enc(4) interface sees traffic from an IPSec session, whether in transport or tunnel mode. When tunnel mode is used, you should see IP encapsulated traffic and thus use the "ipencap" keyword in pf (as stated in OpenBSD's vpn(8) manual page). FreeBSD doesn't have the enc(4) interface. It will not be able to see traffic neither in transport or tunnel mode and as Eric stated, the kernel does have to check SPD policy in addition to the routing table. To work around this, you can use gif(4) which will basically do IP-over-IP encapsulation and then use IPSec transport mode to encrypt the traffic whose upper protocol is IPv4 : % ifconfig gif0 tunnel 1.2.3.4 5.6.7.8 % spdadd 1.2.3.4 5.6.7.8 ip4 -P in ipsec esp/transport//require; % spdadd 5.6.7.8 1.2.3.4 ip4 -P out ipsec esp/transport//require; Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >