From owner-freebsd-net@FreeBSD.ORG  Wed Sep  6 15:56:57 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9D2BB16A506
	for <freebsd-net@freebsd.org>; Wed,  6 Sep 2006 15:56:57 +0000 (UTC)
	(envelope-from sam@errno.com)
Received: from ebb.errno.com (ebb.errno.com [69.12.149.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 02AE943D7F
	for <freebsd-net@freebsd.org>; Wed,  6 Sep 2006 15:56:50 +0000 (GMT)
	(envelope-from sam@errno.com)
Received: from [10.0.0.248] (trouble.errno.com [10.0.0.248])
	(authenticated bits=0)
	by ebb.errno.com (8.13.6/8.12.6) with ESMTP id k86Fuf7n066605
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 6 Sep 2006 08:56:43 -0700 (PDT) (envelope-from sam@errno.com)
Message-ID: <44FEEFB9.2060408@errno.com>
Date: Wed, 06 Sep 2006 08:56:41 -0700
From: Sam Leffler <sam@errno.com>
User-Agent: Thunderbird 1.5.0.4 (X11/20060724)
MIME-Version: 1.0
To: "Eric W. Bates" <ericx_lists@vineyard.net>
References: <44FEDD18.8060506@vineyard.net>	<20060906144002.GI30554@catpipe.net>
	<44FEE301.2090008@vineyard.net>
In-Reply-To: <44FEE301.2090008@vineyard.net>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
Subject: Re: showing esp tunnels in routing table
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2006 15:56:57 -0000

Eric W. Bates wrote:
> 
> Phil Regnauld wrote:
>> Eric W. Bates (ericx_lists) writes:
>>> When you establish an esp tunnel, the subnets on the remote end of the
>>> tunnel do not seem to appear in either "netstat -nr" or 'route get
>>> xxx.xxx.xxx.xxx'
>>>
>>> Is there a way to display those routes other than using setkey to dump
>>> the SPD's?
>> 	No, because there are no routes.  The IPSec layer "hijacks" the packets
>> 	and they are encapsulated before the routing table gets a chance
>> 	to see them.
>>
>> 	You would have to setup transport ESP + gif/gre tunnels to see routing
>> 	entries.
> 
> Apparently, openbsd's implementation of netstat allows one to view ESP
> 'flows' (I believe that is how they refer to them) by examining the
> family 'encap'
> 
> netstat -rnf encap
> 
> We have no such equivalent?

openbsd integrated the SAD w/ the routing table; something I've wanted
to do forever.

	Sam