From owner-freebsd-net@FreeBSD.ORG Wed Sep 6 14:58:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0327E16A4DA for ; Wed, 6 Sep 2006 14:58:21 +0000 (UTC) (envelope-from ericx_lists@vineyard.net) Received: from vineyard.net (k1.vineyard.net [204.17.195.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ED0C43D53 for ; Wed, 6 Sep 2006 14:58:20 +0000 (GMT) (envelope-from ericx_lists@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by vineyard.net (Postfix) with ESMTP id 05FAD915BB; Wed, 6 Sep 2006 10:58:20 -0400 (EDT) X-Virus-Scanned: by AMaViS-king1 at Vineyard.NET Received: from vineyard.net ([127.0.0.1]) by localhost (king1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id mxkjnqWs50oI; Wed, 6 Sep 2006 10:58:19 -0400 (EDT) Received: from [204.17.195.113] (cheesenip.vineyard.net [204.17.195.113]) by vineyard.net (Postfix) with ESMTP id 86A729157C; Wed, 6 Sep 2006 10:58:19 -0400 (EDT) Message-ID: <44FEE301.2090008@vineyard.net> Date: Wed, 06 Sep 2006 11:02:25 -0400 From: "Eric W. Bates" Organization: Vineyard.NET, Inc. User-Agent: Thunderbird 1.5.0.2 (X11/20060427) MIME-Version: 1.0 To: Phil Regnauld References: <44FEDD18.8060506@vineyard.net> <20060906144002.GI30554@catpipe.net> In-Reply-To: <20060906144002.GI30554@catpipe.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: showing esp tunnels in routing table X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 14:58:21 -0000 Phil Regnauld wrote: > Eric W. Bates (ericx_lists) writes: >> When you establish an esp tunnel, the subnets on the remote end of the >> tunnel do not seem to appear in either "netstat -nr" or 'route get >> xxx.xxx.xxx.xxx' >> >> Is there a way to display those routes other than using setkey to dump >> the SPD's? > > No, because there are no routes. The IPSec layer "hijacks" the packets > and they are encapsulated before the routing table gets a chance > to see them. > > You would have to setup transport ESP + gif/gre tunnels to see routing > entries. Apparently, openbsd's implementation of netstat allows one to view ESP 'flows' (I believe that is how they refer to them) by examining the family 'encap' netstat -rnf encap We have no such equivalent? > Phil