From owner-freebsd-net@FreeBSD.ORG Fri Aug 18 19:36:32 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D48BC16A4FC for ; Fri, 18 Aug 2006 19:36:32 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1BFB43D49 for ; Fri, 18 Aug 2006 19:36:31 +0000 (GMT) (envelope-from infofarmer@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so1248203pye for ; Fri, 18 Aug 2006 12:36:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=s2zrr49rLEF72YG+goE44xvGSM86odAlXW1oIzw6/Wq9yYgCLu2rAlVsMMeNvOWG37qxe3Vo1UfXJTm4uzPMIMfGj2Xr80iHf1UdW/ZviE/BkQwhNMfCVUOtUDz+gSLd7ZtxLmuQWQSILr0vf3aXLMAhbgCewpt4NVFD1Dkc8ag= Received: by 10.35.49.4 with SMTP id b4mr6563166pyk; Fri, 18 Aug 2006 12:36:30 -0700 (PDT) Received: by 10.35.105.10 with HTTP; Fri, 18 Aug 2006 12:36:30 -0700 (PDT) Message-ID: Date: Fri, 18 Aug 2006 23:36:30 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Yu-Shun Wang" In-Reply-To: <44E5F19E.9070600@isi.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu> X-Google-Sender-Auth: 6c5fbe9ec8e8af5b Cc: remko@freebsd.org, net@freebsd.org Subject: Re: Routing IPSEC packets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 19:36:32 -0000 On 8/18/06, Yu-Shun Wang wrote: > Remko Lodder wrote: > > Hi friends, > > > > I was looking around for using IPsec services instead of > > OpenVPN services, but I found out that with our current > > implementation of IPsec, we cannot actually route packets > > through the various IPsec hops [1]. OpenBSD adds IPsec > > flows in their routing table, making it possible to route > > traffic between IPsec tunnels. > > > > Can someone either confirm my above statement that FreeBSD > > is indeed not capable of doing this? > > It's not an implementation issue, but a design problem with > IPsec tunnel mode. See RFC3884: > > > > The proposed solution is to use IP-IP tunnel (gif iface in > FreeBSD, which you can route) then apply IPsec transport mode > on the outer header. Refer to the rfc for more detail. > > The policy will be different, but we've verified long ago > with FreeBSD that it works. The packets on the wire is > compatible with regular tunnel mode IPsec. Eh? gif(4) says: BUGS There are many tunnelling protocol specifications, all defined differ- ently from each other. The gif device may not interoperate with peers which are based on different specifications, and are picky about outer header fields. For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode.