From owner-freebsd-net@FreeBSD.ORG  Wed Sep  6 16:17:59 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B679916A4DA
	for <freebsd-net@freebsd.org>; Wed,  6 Sep 2006 16:17:59 +0000 (UTC)
	(envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C6C3543D6E
	for <freebsd-net@freebsd.org>; Wed,  6 Sep 2006 16:17:58 +0000 (GMT)
	(envelope-from andre@freebsd.org)
Received: (qmail 50496 invoked from network); 6 Sep 2006 16:02:58 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
	(envelope-sender <andre@freebsd.org>)
	by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
	for <sam@errno.com>; 6 Sep 2006 16:02:58 -0000
Message-ID: <44FEF4B4.3000807@freebsd.org>
Date: Wed, 06 Sep 2006 18:17:56 +0200
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: Sam Leffler <sam@errno.com>
References: <44FEDD18.8060506@vineyard.net>	<20060906144002.GI30554@catpipe.net>	<44FEE301.2090008@vineyard.net>
	<44FEEFB9.2060408@errno.com>
In-Reply-To: <44FEEFB9.2060408@errno.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "Eric W. Bates" <ericx_lists@vineyard.net>, freebsd-net@freebsd.org
Subject: Re: showing esp tunnels in routing table
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2006 16:17:59 -0000

Sam Leffler wrote:
> Eric W. Bates wrote:
>> Phil Regnauld wrote:
>>> Eric W. Bates (ericx_lists) writes:
>>>> When you establish an esp tunnel, the subnets on the remote end of the
>>>> tunnel do not seem to appear in either "netstat -nr" or 'route get
>>>> xxx.xxx.xxx.xxx'
>>>>
>>>> Is there a way to display those routes other than using setkey to dump
>>>> the SPD's?
>>> 	No, because there are no routes.  The IPSec layer "hijacks" the packets
>>> 	and they are encapsulated before the routing table gets a chance
>>> 	to see them.
>>>
>>> 	You would have to setup transport ESP + gif/gre tunnels to see routing
>>> 	entries.
>> Apparently, openbsd's implementation of netstat allows one to view ESP
>> 'flows' (I believe that is how they refer to them) by examining the
>> family 'encap'
>>
>> netstat -rnf encap
>>
>> We have no such equivalent?
> 
> openbsd integrated the SAD w/ the routing table; something I've wanted
> to do forever.

Having it in a separate radix tree (aka routing table) is just fine.
Integrating it with the IPv4/6 routing table is evil and would cause
me some heartburn.

-- 
Andre