Date: Tue, 13 Aug 2002 16:30:01 -0700 From: Lars Eggert <larse@ISI.EDU> To: Terry Lambert <tlambert2@mindspring.com> Cc: Les Biffle <les@safety.net>, hackers@freebsd.org Subject: Re: IP routing question Message-ID: <3D599679.5090507@isi.edu> References: <200208131813.g7DIDiH14643@ns3.safety.net> <3D599416.5CDE92D9@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Terry Lambert wrote:
> Les Biffle wrote:
>
>>>You could use the draft-touch-ipsec-vpn-04.txt together with ipfw rules,
>>>but then you say you don't want to look at IP addresses...
>>
>>I'm happy to look at outside addresses, just not the ones on the inside.
>>I would also consider matching up endpoint (VPN gateway or "outside")
>>address and SPI to know which SA a packet is arriving on, for the
>>inbound-through-tunnel direction, and then use the vlan interface name
>>to help select the departing tunnel, if possible.
>>
>>
>>>So no, I don't see how it can be done under your constraints.
>>
>>Well, not perhaps without some nethacks in the kernel. I've certainly
>>done that before, but would prefer something more vanilla.
>
>
>
> One short answer is to not set a default route, per se.
>
> I know this is ugly, but it fixes the IPSec tunnel problem.
I don't think we have the same definition of "the IPSec tunnel problem."
Mine is "tunnel mode SAs aren't interfaces, and IPsec duplicates
encapsulation and firewalling techniques that are (better) handled
outside IPsec", see draft-touch-ipsec-vpn.
Having or not having a default route won't matter, since you'll have
more specific routes that match before the default route would be picked.
Lars
--
Lars Eggert <larse@isi.edu> USC Information Sciences Institute
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��00
G0
*H
�01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0
U*Lars10U
Lars Eggert1
0 *H
larse@isi.edu00
*H
��0�
|\Pw v~~
FDooӦA\- Cˀ4.)&{肋
,z
(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲN�V0T0*+e!0 �00L2uMyffBNUbNJJcdZ2s0U
0
larse@isi.edu0
U
0�0
*H
��aJPMՒ�]cѭC+kS+wZ1gY",YT41
j
6:~℩
D~Kؚl=u(ՎM?cF7@}T00
G0
*H
�01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0
U*Lars10U
Lars Eggert1
0 *H
larse@isi.edu00
*H
��0�
|\Pw v~~
FDooӦA\- Cˀ4.)&{肋
,z
(ܷر߈T7_'txGH^tt/ҹB8%t<#ֲN�V0T0*+e!0 �00L2uMyffBNUbNJJcdZ2s0U
0
larse@isi.edu0
U
0�0
*H
��aJPMՒ�]cѭC+kS+wZ1gY",YT41
j
6:~℩
D~Kؚl=u(ՎM?cF7@}T080fErtcvE.0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
000830000000Z
040827235959Z01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.3000
*H
��0�32c %E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ
|CBPQ<9TIf�- ki�N0L0)U
"0
0
10UPrivateLabel1-2970U
0�0
U
0
*H
��1KG]qSl]y=&b""I'{9$
*8PUl
LGl
X1B li+@]jy.%݊
Z<D&iHΥbb10001
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.30G0 +�a0 *H
1
*H
0
*H
1
020813233001Z0# *H
1k5*~
z}oB8U0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0
*H
101
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.30G0
*H
�
y{ܖ^X B,Lg!<knhx
.!!qќضBU0? |@tWM}cxgrs8@Mpqc֚$#M9l玉fE;ԥ������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D599679.5090507>