Date: Sun, 12 Mar 2017 14:01:04 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Ermal =?utf-8?B?THXDp2k=?= <eri@freebsd.org> Cc: Hooman Fazaeli <hoomanfazaeli@gmail.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: ipsec with ipfw Message-ID: <20170312110104.GI70430@zxy.spb.ru> In-Reply-To: <CAPBZQG2QuU_oENyzV25kD=SMWiV36tRhyV-gHAPa%2BkRwoXyuKw@mail.gmail.com> References: <58C46AE0.7050408@gmail.com> <20170311221619.GU15630@zxy.spb.ru> <CAPBZQG2QuU_oENyzV25kD=SMWiV36tRhyV-gHAPa%2BkRwoXyuKw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 11, 2017 at 09:53:39PM -0800, Ermal Luçi wrote: > On Sat, Mar 11, 2017 at 2:16 PM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote: > > > On Sun, Mar 12, 2017 at 12:53:44AM +0330, Hooman Fazaeli wrote: > > > > > Hi, > > > > > > As you know the ipsec/setkey provide limited syntax to define security > > > policies: only a single subnet/host, protocol number and optional port > > > may be used to specify traffic's source and destination. > > > > > > I was thinking about the idea of using ipfw as the packet selector for > > ipsec, > > > much like it is used with dummeynet. Something like: > > > > > > ipfw add 100 ipsec 2 tcp from <lan-table> to <remote-servers-table> > > 80,443,110,139 > > > > > > What do you think? Are you interested in such a feature? > > > Is it worth the effort? What are the implementation challenges? > > > > security policies is subject of ike protocol exchange, do you plened > > to extend this protocol too? > > > > With the introduction of if_ipsec you can implement such tricks through > routing. 1. routing don't distribute port/protocol info 2. connected client don't have any preconfigured security policies and got it by IKE protocol from server. how do you to implement this? for windows/ios/android clients.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170312110104.GI70430>