From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 09:59:46 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 833B816A4DD; Fri, 18 Aug 2006 09:59:46 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id B034F43D7C; Fri, 18 Aug 2006 09:59:40 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id B596E92FDD5; Fri, 18 Aug 2006 11:59:39 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 36065-09; Fri, 18 Aug 2006 11:59:39 +0200 (CEST) Message-ID: <44E58F8B.5@FreeBSD.org> Date: Fri, 18 Aug 2006 11:59:39 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: remko@FreeBSD.org References: <44E58E9E.1030401@FreeBSD.org> In-Reply-To: <44E58E9E.1030401@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain Cc: net@FreeBSD.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@FreeBSD.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 09:59:46 -0000 Remko Lodder wrote: > Hi friends, > > I was looking around for using IPsec services instead of > OpenVPN services, but I found out that with our current > implementation of IPsec, we cannot actually route packets > through the various IPsec hops [1]. OpenBSD adds IPsec > flows in their routing table, making it possible to route > traffic between IPsec tunnels. > > Can someone either confirm my above statement that FreeBSD > is indeed not capable of doing this? > > In the case that does not exist yet, are there others that > also like this feature? And is there someone who can do > the coding in that case? (I am not skilled enough to do > this). > > I hope to get some good feedbacks :-) > > Please keep me CC'ed since I am not subscribed to the > list. > > Thanks a lot! > Cheers, > Remko > Oh, Ofcourse I should do the [1] trick: I want to do the following; I have three IPsec endpoints at this moment, one at home, one in my personal colo environment and one in another colo environment. The machine(s) in the personal colo environment are the point to where all the others connect to. So the other colo env connects to the personal colo environment, and my home also connects to the personal colo environment. I would like to be able to: Other colo -- ipsec tunnel -- personal colo -- ipsec -- home Have these communications possible, and ofcourse the other way around. In the event that another tunnel will be attaching, I would like to be able to route these packets to the other host as well (so that I can reach all the IPsec tunneled hosts from the IPsec network, from where-ever I will be, either road -warrior, or just at home, or at one of the colo machine's). Sorry that I did not mention this in my previous email. Cheers, Remko -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */