Date: Fri, 30 Nov 2018 17:27:24 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Lev Serebryakov <lev@FreeBSD.org>, freebsd-net@freebsd.org Subject: Re: IPsec: is it possible to encrypt transit traffic in transport mode? Message-ID: <aaa399ff-e6e3-810f-d057-62fded84d0c6@grosbein.net> In-Reply-To: <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru> References: <1519156224.20181130021136@serebryakov.spb.ru> <eb98de09-fe85-a978-15ef-b5c19f964f4e@grosbein.net> <cd4c1312-d711-a6c9-fa3e-e92175ff015e@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
30.11.2018 16:22, Andrey V. Elsukov wrote: > There is one problem. IPsec won't handle inbound packets, that are not > destined to your IP address. Inbound packets are handled based on the > destination address, protocol and SPI value, so if ip_input() doesn't > decide that ESP packet is for your host, it will not invoke > IPSEC_INPUT() and encrypted packet will be routed as is. That's why I use gif tunnels for such packets :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aaa399ff-e6e3-810f-d057-62fded84d0c6>